AUTHENTICATED , 
US. GOVERNMENT 
INFORMATION ^ 


PLANNING FOR THE FUTURE 
OF CYBER ATTACK ATTRIBUTION 


HEARING 

BEFORE THE 

SUBCOMMITTEE ON TECHNOLOGY AND INNOVATION 

COMMITTEE ON SCIENCE AND 
TECHNOLOGY 

HOUSE OF REPRESENTATDH]S 

ONE HUNDRED ELEVENTH CONGRESS 

SECOND SESSION 

JULY 15, 2010 

Serial No. 111-105 


Printed for the use of the Committee on Science and Technology 



Available via the World Wide Web: http://www.science.house.gov 


U.S. GOVERNMENT PRINTING OFFICE 
57-603PDF WASHINGTON : 2010 


For sale by the Superintendent of Documents, U.S. Government Printing Office 
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 
Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 


COMMITTEE ON SCIENCE AND TECHNOLOGY 

HON. BART GORDON, Tennessee, Chair 


JERRY F. COSTELLO, Illinois 

EDDIE BERNICE JOHNSON, Texas 

LYNN C. WOOLSEY, California 

DAVID WU, Oregon 

BRIAN BAIRD, Washington 

BRAD MILLER, North Carolina 

DANIEL LIPINSKI, Illinois 

GABRIELLE GIFFORDS, Arizona 

DONNA F. EDWARDS, Maryland 

MARCIA L. FUDGE, Ohio 

BEN R. LUJAN, New Mexico 

PAUL D. TONKO, New York 

STEVEN R. ROTHMAN, New Jersey 

JIM MATHESON, Utah 

LINCOLN DAVIS, Tennessee 

BEN CHANDLER, Kentucky 

RUSS CARNAHAN, Missouri 

BARON P. HILL, Indiana 

HARRY E. MITCHELL, Arizona 

CHARLES A. WILSON, Ohio 

KATHLEEN DAHLKEMPER, Pennsylvania 

ALAN GRAYSON, Florida 

SUZANNE M. KOSMAS, Florida 

GARY C. PETERS, Michigan 

JOHN GARAMENDI, California 

VACANCY 


RALPH M. HALL, Texas 
F. JAMES SENSENBRENNER JR., 
Wisconsin 

LAMAR S. SMITH, Texas 
DANA ROHRABACHER, California 
ROSCOE G. BARTLETT, Maryland 
VERNON J. EHLERS, Michigan 
FRANK D. LUCAS, Oklahoma 
JUDY BIGGERT, Illinois 
W. TODD AKIN, Missouri 
RANDY NEUGEBAUER, Texas 
BOB INGLIS, South Carolina 
MICHAEL T. McCAUL, Texas 
MARIO DIAZ-BALART, Florida 
BRIAN P. BILBRAY, California 
ADRIAN SMITH, Nebraska 
PAUL C. BROUN, Georgia 
PETE OLSON, Texas 


Subcommittee on Technology and Innovation 


HON. DAVID WU, Oregon, Chair 


DONNA F. EDWARDS, Maryland 
BEN R. LUJAN, New Mexico 
PAUL D. TONKO, New York 
HARRY E. MITCHELL, Arizona 
GARY C. PETERS, Michigan 
JOHN GARAMENDI, California 
BART GORDON, Tennessee 


ADRIAN SMITH, Nebraska 
JUDY BIGGERT, Illinois 
W. TODD AKIN, Missouri 
PAUL C. BROUN, Georgia 


RALPH M. HALL, Texas 


HILARY CAIN Subcommittee Staff Director 
MEGHAN HOUSEWRIGHT Democratic Professional Staff Member 
TRAVIS HITE Democratic Professional Staff Member 
MELE WILLIAMS Republican Professional Staff Member 
VICTORIA JOHNSTON Research Assistant 


(H) 



CONTENTS 

July 15, 2010 

Page 

Witness List 2 

Hearing Charter 3 

Opening Statements 

Statement by Representative David Wu, Chairman, Subcommittee on Tech- 
nology and Innovation, Committee on Science and Technology, U.S. House 

of Representatives 6 

Written Statement 7 

Statement by Representative Ralph M. Hall, Ranking Minority Member, 

Committee on Science and Technology, U.S. House of Representatives 7 

Written Statement by Representative Adrian Smith, Ranking Minority 
Member, Subcommittee on Technology and Innovation, Committee on 
Science and Technology, U.S. House of Representatives 8 

Witnesses: 

Dr. David A. Wheeler, Research Staff Member, Information Technology and 
Systems Division, Institute for Defense Analyses 

Oral Statement 9 

Written Statement 10 

Biography 87 

Mr. Robert Knake, International Affairs Fellow, Council on Foreign Relations 

Oral Statement 88 

Written Statement 90 

Biography 98 

Mr. Ed Giorgio, President and Co-Founder, Ponte Technologies 

Oral Statement 98 

Written Statement 100 

Biography 108 

Mr. Marc Rotenberg, President, Electronic Privacy Information Center 

Oral Statement 108 

Written Statement 110 

Biography 118 

Appendix: Answers to Post-Hearing Questions 

Dr. David A. Wheeler, Research Staff Member, Information Technology and 

Systems Division, Institute for Defense Analyses 132 

Mr. Robert Knake, International Affairs Fellow, Council on Foreign Relations 135 

Mr. Ed Giorgio, President and Co-Founder, Ponte Technologies 137 

Mr. Marc Rotenberg, President, Electronic Privacy Information Center 139 


(III) 




PLANNING FOR THE FUTURE OF CYBER 
ATTACK ATTRIBUTION 


THURSDAY, JULY 15, 2010 

House of Representatives, 
Subcommittee on Technology and Innovation, 

Committee on Science and Technology, 

Washington, DC. 

The Subcommittee met, pursuant to call, at 10:04 a.m., in Room 
2318 of the Rayburn House Office Building, Hon. David Wu [Chair- 
man of the Subcommittee] presiding. 


( 1 ) 



2 




U-S. House Of AEPASSCNTATTVES 

COMMITTEE ON SCIENCE AND TECHNOLOGY 

sum zai wmmn housi o»»ci suaom 
W rASMNOnM. DC 
umm-cm 


SulKommiltcc on Tcchnul»}>v nnil Innovation's 
Hearing on 

Planning for the Future of Cyber Attack Attribution 

Thunday, Jut) 1 5. 2010 
lO.OO 0411. o l2.(K>pm 
231 X Ro>bum KfHMcOtllM Buililui§ 

Dr. t>a%ul A. Whrclcr 

Rocarch StofT Sfetnher. Inftirmaiion lechnDJug) and S)stcmo Divittaw 
liMiiuic for Dcfctioe Analyses 

Mr. Rubrrt Knalte 

IntcmaiKuuJ AfToin Fdloia. Council on Fineign Rclnuoni 
Mr. FUl (;i>rvia 

President and CenFounder. PMie Technologies 
Mr. Stare Rolmbrrg 

Presadent. Electronic Privacy Inrocmalion ('enter 



3 


HEAHING CHARTER 

COMMITTEE ON SCIENCE AND TECHNOLOGY 
SUBCOMMITTEE ON TECHNOLOGY AND INNOVATION 
U.S. HOUSE OF REPRESENTATIVES 

Planning for the Future of 
Cyber Attack Attribution 

THURSDAY, JULY 15, 2010 

io:oo A.M.-i2:oo p.m. 

2318 RAYBURN HOUSE OFFICE BUILDING 


I. Purpose 

On Thursday, July 15, 2010, the Subcommittee on Technology and Innovation will 
hold a hearing to discuss attribution in cyber attacks, and how attribution tech- 
nologies have the potential to affect the anonymity and privacy of internet users. 

II. Witnesses 

Dr. David Wheeler is a Research Staff Member of the Information Technology 
and Systems Division at the Institute for Defense Analyses. 

Mr. Robert Knake is an International Affairs Fellow at the Council on Foreign 
Relations. 

Mr. Ed Giorgio is the President and Co-Founder of Ponte Technologies. 

Mr. Marc Rotenberg is the President of the Electronic Privacy Information Cen- 
ter. 

III. Background 

Cyber Attacks 

Statistics clearly show that cyber attacks are common and costly. Following a re- 
cent survey of more than 2000 companies worldwide, Symantec reported that 42 
percent rated cyber risk as their top concern, beating out other risks such as natural 
disasters, terrorism, and traditional crime. Symantec also reported that 75 percent 
of companies reported cyber attacks in the past twelve months and that 92 percent 
had seen significant monetary costs, averaging $2 million per year per company, as 
a result of those attacks. ^ 

A 2004 Congressional Research Service report stated that “the stock price impact 
of cyber-attacks show that identified target firms suffer losses of l%-5% in the days 
after an attack. For the average New York Stock Exchange corporation, price drops 
of these magnitudes translate into shareholder losses of between $50 million and 
$200 million”.^ According to a Market Wire article published in 2007, the economic 
impact from one comprehensive cyber attack on critical infrastructure could exceed 
$700 billion.3 

Role of Attribution Technology 

Being able to identify an attacker can be a strong deterrent against attack. Dur- 
ing the Cold War, the Soviet Union and the United States remained in a nuclear 
standoff because either country would have been able to identify its attacker and 
stage a counter attack. In contrast, if a person, company, or government is attacked 
in cyberspace, it is often arduous — if not impossible — to determine the perpetrator 
of the attack. 


1 Symantec. (2010). 2010 State of Enterprise Security Global Results. Retrieved from http:! j 
www.slideslmre.net I Symantec 1 2010-state-of-enterprise-security 
^Congressional Research Service. (2004, April 1). The Economic Impact of Cyber -Attacks. 
(Order Code RL32331). Washington, D.C.: Congressional Research Service. Retrieved from 
http:! ! www.cisco.com I warp / public 1 779 1 govtaffairs I images I CRS -Cyber -Attacks.pdf 
3 “New Research Shows Cyber Attack Could Cost U.S. 50 Times More Than Katrina”. Market 
Wire. FindArticles.com. 09 Jul, 2010. http: t / findarticles.comtp I articles I mi-pwwil is -200707 / 
ai-nl9429846/ 



4 


Attribution technologies can be a useful tool in identifying and locating the assail- 
ant in a cyber attack. In terms of cyber attacks, attribution can be defined as “deter- 
mining the identity or location of an attacker or an attacker’s intermediary”.'^ The 
attacker’s identity can include a person’s name, account information, or an alias. 
The location may include a geographical location or a virtual location, such as an 
IP address or Ethernet address. 

In some cases, attribution technology may simply trace an attack back to an inter- 
mediary through which the attacker worked. For example, an attack can be trans- 
mitted via a fleet of ‘zombies’, or computers that can both delay and increase the 
severity of the attack. A sophisticated attacker may even be able to hide his or her 
identity so well that those looking for the attacker might falsely attribute the attack 
to an unrelated party. This can be done by an attacker who intentionally creates 
a false trail by sending incorrect data through any attribution process. To be effec- 
tive and useful, new attribution technologies will need to have the ability to counter 
these, and future, methods of contravention. 

The December 2009 attack on Google email accounts belonging to Chinese human 
rights activists in the United States, Europe, and China demonstrates the need for 
improvements in attribution technologies. Because the attacks showed a new level 
of sophistication, attributing their source has been a particularly difficult process. 
While the U.S. has been successful in tracing the attacks to two technical schools, 
it is still not known who was specifically behind these attacks. 

In addition to helping to gain information about an isolated attack on a specific 
machine or network, successful attribution technologies can also be used to increase 
the security of the internet for people accessing personal information online — log- 
ging into a personal bank account, for example. If an online account required a rec- 
ognizable IP range in addition to a pin code to retrieve account information, the 
ability of a hacker to access the account would be limited. 

Anonymity and Privacy 

Complete attribution may have negative ramifications for internet anonymity and 
privacy. For example, dissidents in countries where the government censures 
websites with firewalls may bypass or attack those firewalls to access prohibited in- 
formation. If the government had attribution technology that allowed it to com- 
pletely attribute the attack to its firewall, the government might use the informa- 
tion gained through attribution to punish dissidents for accessing the information. 
There is also the potential for attribution technologies to be used by a government, 
a company, or individual to identify the source of a posting or comment on the inter- 
net that is intended to be anonymous. 

IV. Issues and Concerns 

As more and more of the Nation’s infrastructure becomes dependent on the inter- 
net, the potential impact of a successful cyber attack against the United States in- 
creases. Many of the tools we rely upon in our daily lives (traffic lights, restocking 
food supplies, millions of office jobs, etc.) have the potential to be rendered non-func- 
tional through a cyber attack. While attribution technologies may play an important 
role in limiting the effects of such crippling attacks, there may need to be clearly 
defined limits on when such technologies should be used. For example, proactively 
tracing interactions within a system may help determine where an attack originated 
after one occurs, but tracing every interaction is impractical and quite likely uncon- 
stitutional. It may be appropriate, therefore, to limit the use of attribution tech- 
nology in most cases to post-attack. 

A second area of interest is who is, or should be, responsible for the development, 
coordination, and implementation of attribution technologies. Even if some critical 
infrastructure is privately owned, the government arguably has a responsibility to 
its citizens to ensure that the infrastructure is protected. Given the interest in en- 
suring that government resources are utilized efficiently, there may be a need to 
strengthen coordination and collaboration between government and industry on the 
development of new attribution technologies in order to avoid redundancy and lever- 
age resources. 

There may also be a need to determine the appropriate role of the government 
in responding to cyber attacks on private companies and individuals. In general, if 
a company or individual is physically attacked by an outside government, a com- 
pany, or an individual, it is quite likely that the government would step in and de- 
fend the attacked company or individual. If a company or individual is the victim 


^ David A. Wheeler and Gregory N. Larsen, Techniques for Cyber Attack Attribution (Institute 
for Defense Analysis, IDA Paper P-3792. October 2003), p.l 



5 


of a cyber attack, it is currently unclear what the government’s role is, or should 
be, in responding to the attack. 

Finally, the implications of attribution technologies for the anonymity and privacy 
of internet users should be considered. It may be necessary to consider ways to limit 
the use of attribution technologies to identifying the source of cyber attacks and in 
ways that do not suppress the freedom of speech or otherwise implicate the anonym- 
ity and privacy of people using the internet for legitimate purposes. There may also 
be a need to determine who (government or industry or both) should maintain re- 
sponsibility for ensuring that attribution technologies are used consistent with any 
identified limits. 

V. Overarching Questions 

The following questions were asked of each witness: 

• As has been stated by many experts, deterrence is a productive way to pre- 
vent physical attacks. How can attack attribution play a role in deterring 
cyber attacks? 

• What are the proper roles of both the government and private industry in de- 
veloping and improving attack attribution capabilities? What R&D is needed 
to address capability gaps in attack attribution and who should be responsible 
for completing that R&D? 

• What are the distinguishing factors between anonymity and privacy? How 
should we account for both in the development and use of attribution tech- 
nologies? 

• Is there a need for standards in the development and implementation of at- 
tack attribution technologies? Is there a specific need for privacy standards 
and if so, what should be the government’s role in the development of these 
standards? 



6 


Chairman Wu. The hearing will come to order. 

Good morning, and thank you very much for being at this cyher 
attribution hearing. 

This cybersecurity hearing is one in a series that this Sub- 
committee has held on ways that we can protect our Nation’s crit- 
ical cyber infrastructure. Over the last two years, we have held 
hearings on cybersecurity activities at the National Institute of 
Standards and Technology and the Department of Homeland Secu- 
rity, as well as on the Administration’s Cyberspace Policy Review. 
Just two weeks ago, we had an important hearing on the Smart 
Grid, and spent a great deal of time talking about the necessity of 
developing strong cybersecurity standards for our national energy 
infrastructure. 

We are well aware of the critical role that IT [Information Tech- 
nology] networks play in managing much of our day-to-day activity 
from online banking to systems that make sure there is food on our 
grocery shelves. This growing reliance on networks has made us 
more vulnerable to cyber attacks and has increased the potential 
for such attacks to have far-reaching and crippling effects. Now 
more than ever, we need to be focused on the development of tools 
and technologies to prevent, detect, and respond to cyber attacks. 

History shows that one of the best deterrents to an attack is the 
ability to identify your attacker. The question is whether such de- 
terrence methods are still relevant today. During the Cold War, the 
United States and the Soviet Union, each with quite expansive of- 
fensive capabilities, were held in check by the notion that an attack 
would result in retaliation. This was achieved because each country 
would have been able to precisely identify its attacker. This method 
of deterrence, the ability to attribute an attack to a particular per- 
son, party or system, can be equally vital to defending against 
cyber attack. While they are not the end-all solution to our 
cybersecurity challenges, the development of effective and reliable 
attribution technologies should be an essential part of our efforts 
to secure the Nation’s cyberspace. 

Given that the Internet is intended to be open and anonymous, 
the attribution of cyber attacks can be very, very difficult to 
achieve and should not be taken lightly. As co-chair of the Global 
Internet Freedom Caucus in the House, I am personally very con- 
cerned about the potential implications to privacy, anonymity and 
Internet freedom posed by attribution technologies. As a result, I 
believe that it is absolutely imperative that we define and imple- 
ment clear restrictions on how attribution technologies are devel- 
oped and used to ensure that they are not misused. 

I look forward to today’s discussion on attribution technologies 
and how they may help deter cyber attacks. I am interested in dis- 
cussing the proper roles of the Federal Government and private in- 
dustry in the development of these technologies, and the research 
and development that is needed to fill capability gaps. I am sure — 
and I am particularly eager to discuss ways to ensure that attribu- 
tion technologies are not used to infringe upon the safety, privacy 
or individual liberties of Internet users. 

I would like to thank the witnesses for appearing before us 
today, and I look forward to our discussion. 



7 


Now I recognize Mr. Hall, the Ranking Member of the Full Com- 
mittee, for his opening statement. 

[The prepared statement of Chairman Wu follows:] 

Prepared Statement of Chairman David Wu 

Good morning and thank you for coming to today’s hearing focused on interoper- 
ability in public safety communication equipment. 

We’ve learned an important lesson from September 11th, Hurricane Katrina, and 
other disasters: interoperable communication is critical to effective emergency re- 
sponse. When time is of the essence and lives are at stake, a clear flow of informa- 
tion is essential. Unfortunately, it is not uncommon for police officers and fire- 
fighters from a single region, or even a single city, to be using incompatible commu- 
nication systems. This lack of interoperability has contributed to the deaths of first 
responders and hindered the ability to rescue people in harm’s way. 

Enabling interoperable communication systems, where public safety personnel can 
talk with each other in real-time, takes planning and cooperation by all levels of 
government. However, interoperability also demands radios that are capable of com- 
municating with one another. First responders on digital land mobile radio systems 
built to proprietary specifications cannot communicate. Ad-hoc solutions, like 
patching technologies or sharing radios, are less efficient than the seamless inter- 
operability offered by systems based on open architecture. 

The purpose of today’s hearing is to examine the status of the standards develop- 
ment process for this open architecture. Since 1989, the public safety community 
and industry have been working together on Project-25, or P25, a suite of standards 
that will not only enable interoperability, but also promote competition in the mar- 
ketplace for digital land mobile radio systems and provide other benefits. While 
there has been a lot of progress on the P25 standards since 1989, the entire set of 
standards remains incomplete. I would like to understand the implications of this 
for public safety agencies procuring systems sold as “P25 compliant” and get a bet- 
ter sense of when we realistically can expect all of the standards to be completed. 

A second issue that we will discuss today is the lack of a formal compliance as- 
sessment process for the P25 standards. A compliance assessment process signals 
to the purchaser that a product meets all of the requirements of a standard. Any 
laptop with a Wi-Fi logo, or any toaster with an Underwriter’s Laboratory sticker, 
had to go through testing and certification to be able to display those marks. P25 
does not have an equivalent process. The Department of Homeland Security’s Com- 
pliance Assessment Program fills this gap, but we must be sure it provides the high- 
est possible level of assurance to the public safety community that systems sold as 
P25-complaint actually meet all of the requirements of the standards. It seems to 
me that there ought to be a formal, comprehensive system in place to ensure that 
it is not caveat emptor when first responders spend millions of dollars on complex 
communications technology. 

The most important question for the first responders who rely on this equipment 
is “does it work?” In addition to being mission-critical technology, these systems rep- 
resent major expenditures for government agencies across the country. Particularly 
at a time of uncertain and dwindling budgets, cost-effective procurement enabled by 
an open-architecture is essential. 

I’d like to thank our witnesses for being here today. Project 25 is unique in the 
world of standards development in that the users of the technology — in this case, 
our public safety officials — are integral to, and directly involved in, the standards 
development process. It is important that this process move forward, and that the 
public safety community and industry continue to work together to make further ad- 
vances in first responder technology. 

Mr. Hall. Thank you, Mr. Chairman, and since you have made 
an excellent opening statement and covered almost everything, I 
can he brief, and I am filling in for the Ranking Member, Mr. 
Smith, and I thank you for calling the hearing on cyber attack at- 
tribution technologies. I also want to thank our very distinguished 
panel. We rely on you to tell us what the facts are, and from that 
we glean legislation, and don’t be disturbed by the empty chairs 
here because they will all receive copies of your testimony, and 
many have received copies ahead of time. I have scanned through 
your testimony. I want to thank the panel for being here and ask 



8 


you to remember that we are not technical experts, so keep it as 
simple as you possibly can. I have read some of your testimony and 
understood a lot of it. Ranking Smith is going to be here shortly. 
In the event it takes him longer than expected, I ask unanimous 
consent that his statement be made a part of the record, Mr. Chair- 
man. 

Otherwise I will yield the remainder of my time to him when he 
arrives. Thank you, sir. 

[The prepared statement of Mr. Smith follows:] 

Prepared Statement of Representative Adrian Smith 

Thank you, Chairman Wu, for calling today’s hearing on cyber attack attribution. 
Once again this subcommittee will have the opportunity to hear from an out- 
standing panel of expert witnesses, and I thank them for taking the time to be with 
us today. 

With the integration of computing technology into nearly every aspect of our pro- 
fessional and private lives — from growing our food to managing our electrical grid 
to tracking every financial transaction no matter how small — the threat of a cata- 
strophic attack on the networks which manage every sector of our economic and se- 
curity infrastructure has also grown exponentially. 

As we search for effective ways to prevent such an attack, one widely discussed 
means is deterrence through attribution — ensuring would-be attackers know any ac- 
tivities would be traced back to them with reciprocal action in return. 

The work of tracing such attacks, particularly in the United States where the pre- 
sumption of innocence is sacrosanct and where privacy for the innocent is respected, 
this is easier said than done. This raises a number of questions I hope we can ad- 
dress in today’s hearing: 

- What are the best methods for tracing attacks? 

- What harriers exist, aside from technological ones, to tracing attacks inside 
and outside our borders? 

- If we can trace attacks, what is an effective deterrent to prevent them? 

- And if we can answer the first three questions effectively, what is the role 
for standards-setting bodies in assisting government and the private sector in 
reaching those conclusions? 

I hope we can also consider the consequences of traceability on the overwhelming 
majority who use computer systems lawfully and whose privacy we should respect. 

Before we move on to hearing from our witness, I would like to briefly note it is 
my understanding a follow-up hearing in which we hear from NIST, National 
Science Foundation, and other applicable Federal agencies is under consideration, 
and I would like to offer my support for holding such a hearing. 

Thank you again. Chairman Wu and witnesses. I expect we will learn a lot today, 
and I yield back the balance of my time. 

Chairman Wu. Thank you very much, Mr. Hall. 

If there are Members who wish to submit opening statements, 
your statements will be added to the record at this point. And I 
also want to recognize the Chairman of the Full Committee, who 
is in attendance, and Chairman Gordon — ^very good. Thank you. 

Now it is my pleasure to introduce our witnesses. Dr. David A. 
Wheeler is a Research Staff Member of the Information Technology 
and Systems Division at the Institute for Defense Analyses. Mr. 
Robert Knake is International Affairs Fellow at the Council on For- 
eign Relations. Mr. Ed Giorgio is the President and Co-Founder of 
Ponte Technologies. He also has over 30 years of security experi- 
ence at the National Security Agency, or NSA, and is a leading au- 
thority on security and cryptography, and I want to recognize that 
Mr. Giorgio is also wearing a Distinguished Service Medal awarded 
by the NSA. And our final witness is Mr. Marc Rotenberg, who is 
the President of the Electronic Privacy Information Center, or 



9 


EPIC, and at our prior hearing on grid security, one of your vice 
presidents provided very, very interesting, elucidating comments. 

You will each have five minutes for your spoken testimony, and 
your written testimony will be included in the record of this hear- 
ing. When you all complete your testimony, we will begin with 
questions, and each Member will have five minutes to question the 
witnesses. 

Dr. Wheeler, please proceed. 

STATEMENT OF DAVID A. WHEELER, RESEARCH STAFF MEM- 
BER, INFORMATION TECHNOLOGY AND SYSTEMS DIVISION, 

INSTITUTE FOR DEFENSE ANALYSES 

Dr. Wheeler. Mr. Chairman, distinguished Members of the 
House Subcommittee on Technology and Innovation and the Com- 
mittee on Science and Technology, I am delighted to speak with 
you today. As noted, my name is Dr. David A. Wheeler. I work at 
the Institute for Defense Analyses, also known as IDA. IDA is, and 
I quote, “a nonprofit corporation that operates three federally fund- 
ed research and development centers,” or FFRDCs. These FFRDCs 
provide objective analyses of national security issues, particularly 
those requiring scientific and technical expertise, and they conduct 
related research on other national challenges. 

In 2002 and 2003, I developed a survey of cyber attack attribu- 
tion technologies on behalf of the Department of Defense, DoD. 
This survey has been provided to this Subcommittee and is also 
available to the public from the Defense Technical Information 
Center as IDA paper P-3792, Techniques on Cyber Attribution. At- 
tribution in this context is determining the identity or location of 
an attacker or an attacker’s intermediary. Since writing that paper, 
I have worked on improving the security and assurance of systems, 
lowering supply chain risks, improving open standards and elimi- 
nating barriers to the use and development of open source soft- 
ware. 

It is good that this Subcommittee is examining the relationship 
between attribution, privacy and anonymity. As I noted in my 
paper, we should be concerned if attribution technologies developed 
in democracies are acquired and redeployed by governments with 
abusive human rights records to suppress freedom of speech and 
democracy movements. 

Apart from any concern of abuse by foreign governments, the use 
of these techniques by our government requires consideration of 
the Fourth Amendment’s guarantee that people must be secure 
against unreasonable searches and seizures. Section 3.13 of my 
paper specifically discusses the need to protect privacy and freedom 
of speech. With that as context, I will address the overarching 
questions in this hearing’s charter. 

The first question asked about the role of attack attribution in 
deterring cyber attacks. It noted that deterrence is a productive 
way to prevent physical attacks. In a similar way, cyber attack at- 
tribution can play an important role in deterring cyber attacks by 
enabling many deterrence measures. While there is great need to 
harden U.S. infrastructure from cyber attacks, passive computer 
network defenses cannot be and never will be perfect. This means 
that in some cases we may need to be able to respond to an attack. 



10 


Unfortunately, many other countermeasures such as computer net- 
work counterattack, legal action and kinetic energy counterattack 
can only be deployed if the source of the attack can be attributed 
with high confidence. 

The second question asked what roles that government and pri- 
vate industry should play. As of 2003, there was little evidence that 
the commercial sector was willing to shoulder the costs to develop 
attribution capabilities. Most commercial companies appear to view 
identifying attackers as a law enforcement or military task, not a 
commercial one. If the government wants the ability to attribute 
attacks, in many cases the government may need to pay for it di- 
rectly. One approach is to fund development and deployment of 
these abilities for widely used applications both proprietary and 
open source software. More than one product in each category 
should be funded, so that the government is not locked into a sin- 
gle supplier. 

The third question asked for the distinguishing factors between 
anonymity and privacy and how to account for both in the develop- 
ment and use of attribution technologies. As I noted in my paper, 
if the United States is to develop attribution technology, it should 
encourage the development or implementation of those attribution 
technologies that pose less danger to privacy. For example, logging 
systems could store message hashes, also known as message finger- 
prints, instead of the messages themselves. Since the data isn’t 
stored, hashing only supports attribution of data the requester has 
already seen. A key part of implementing attribution technologies 
with few risks to privacy and anonymity is to ensure that any 
standards development related to attribution should include efforts 
to address these privacy and anonymity concerns. 

This brings me to the issue of standards, the focus of the fourth 
question. Standards are critically necessary for some attribution 
technologies, and the standards development process should work 
to address these privacy and anonymity concerns through public 
development and review. Such standards should be open standards 
to permit competition; in particular, they should be publicly defined 
and held and shouldn’t be patent-encumbered. This suggests that 
the U.S. government should be involved in the development of such 
standards to ensure that its needs and concerns are met, just as 
the government is already involved in the development of stand- 
ards where there are specific government needs and concerns. 

I will be happy to address your questions. 

[The prepared statement of Dr. Wheeler follows:] 

Prepared Statement of David A. Wheeler 

It is an honor to provide testimony to you. Please consider the attached paper, 
“Techniques for Cyber Attack Attribution” (IDA Paper P-3792) as my written testi- 
mony. This paper discusses techniques for cyber attack attribution, including notes 
about the relationship of attribution to privacy. 



11 



INSTITUTE FOR DEFENSE ANALYSES 


Techniques for Cyber Attack Attribution 

David A. Wheeler 
Gregory N. Larsen. Task Leader 



12 


This work was conducted under contracts DASW01-98-C-0067/ 
OASW01-02-C 0012. OASW01-04-C-003. Task BC'&-1767, lor the Assistant 
Secretary ot Delense lor Networks and Information Integration Command. 
Control, Communications, and Intelligence (ASD(C3INII). The publication 
ol this IDA document does not indicate endorsement by the Department 
ot Delense. nor should the contents be construed as reflecting the olllclal 
position ol that Agency. 

® 2003, 2007 Inslitule lor Delense Analyses. 4850 Mark Center Drive, 
Alexandria. Virginia 22311-1882 • (703)845-2000. 

This material may be reproduced by or tor the U.S. Government pursuant 
to the copyright license under the clause at DFARS 252.227-7013 
(NOV 95). 



13 


INSTITUTE FOR DEFENSE ANALYSES 

IDA Papw p.3?9? 


Techniques for Cyber Attack Attribution 

David A. Wheeler 
Gregory N. Larsen. Task Leader 



14 


Preface 


This document was prepared by the Institute for Defense Analyses (IDA) under the task 
order. Computer Netw^ Defense Asscssrtrcnl, in re^nse to a task objective, to 
“provide le^nical oipertise artd analyses in support of the DIAP's development and 
evolution to enable continued improvements in the Department’s lA posture." The 
Defense-wide Information Assurance Program (DIAP) sponsored this work. 

The following IDA research SUIT members were reviewers of this document: 
Dr. L. Roger Mason, Jr.. Dr. Alfred E. Brermcr, Mr. Terry Mayfield, Dr. Reginald N. 
Meeson. Dr. Edward A. Schrtcider. and Dr. William R Simpson. 



15 


Contents 

Executive Summ*»> ES-1 

1. Intnxluctioii I 

1 . 1 Defining Attribution — 1 

1.2 Retionale for Attribution 2 

1.3 The Problem 2 

1.4 Scope 4 

1 .5 Gencralizjition 6 

2. Attribution Techniques 9 

2.1 Store Logs & Trsccback Queries - .....11 

2.1.1 Logging — 12 

2.1.2 Querying — IS 

2. 1 J AJvonUiges end DisadvuiUgcs 16 

2.2 Perform Input Debugging 16 

2JI Modify Transmitted Messages 1 * 

2.4 Transmit Separate Messages (e.g., iTrace) 20 

2.5 Reconfigure & Observe Network — — .21 

2.6 Query Hosu 22 

2.7 Insert Host Monitor Functions (e.g., “Hack Back") 23 

2.8 Match Streams (via Headers, Content, ond'or Timing) 24 

2.8. 1 Stream Matching using Message Headers .25 

2.8.2 Stream Matching using Data Content 25 

V 




16 


2.8.3 Stream Matching using Timing .25 


2.S.4 Advtnuiges A Disadvinuges 

......26 

2.9 ExploilTorcc Attacker Self-ldenlifkalion 

26 

2.10 Observe Honeypot/honcy nei 

77 

2. 1 1 Employ Forward-deployed Intrusion Detection Systems (IDSs).. 

_2» 

2.12 Perform Filtering (e.g.. Network Ingress Filtering) 

^30 

2.12.1 Network Ingress Filtering Definition 

„„.KI 

2.12.2 Network Ingress Filtering Implementation _... 

31 

2.I2J Netwock Ingress Filtering for Attribution 

33 

2.12.4 Ingress Filter^ Advantages 

.34 

2.12.3 Netwxnk Ingress Filtering Disadvantages 

35 

2.12.6 Filtering Advantages and Disadvaruages 

37 

2. 1 3 Implement Spoof Prevention 

37 

2-14 Secure Hosts/Routm 

40 

2-15 Surveil Attacker 

-.41 



2.17 Combine Techniques 

42 

Issues ifi Auribution Techniques 

43 

3. 1 Preposllioning of Toots and Trust is Critical 

43 


3.2 Preposilianing Tools and Trust in External Nciwarfcx is Diflicull 43 

3.3 Networks and Sysicim Can be Configured to Ease Attribuuon: Changing the 

Temin 43 

3.4 Attribution is Often Easier Against insiders 44 

3J Build Attribution Techniques into Common Components 44 

3.6 Attribution Requites Funding _.._46 

VI 



3.7 Sundjuds are Needed - — ....—47 

3.* Anribulion Techniquei Miio Be Secured •!» 

3.9 Anribulion Should Unully Be Hidden from ihc Attack. ; -tu 

3.10 Sensor Placcmcfil Is IraportaiH 49 

3.1 1 Moil) Attribution Techniques Require Funding for Technology Tnnsitkm 30 

3.12 LegjU/Policy Issues Intertwine — — -SO 

3.13 Need to Protect Privacy and Freedom of Speech - — — SO 

3.14 Required Attribution Times Will Continue to Shrink _.S I 

3.15 Allributioo is Inherently l.bnhed - —SI 

3.15.1 Attribution Delays — 51 

3.15.2 Failed Attribution- S2 

3.I5J Misattribution.- - - S2 


4. Conclusions -....53 

Appendix. Attribution Technique Taxonomy A*l 

References ReferencevI 


Acronynu and Abbrev iationt 


.-Acronyms- 1 



18 


Figures 

Figure I . Anribulion Problem..... - < 

Figure 2. Store Logs & Traccfaack Queries Technique . 12 

Figure 3. Stream Matching 24 

Figure 4, Network Ingress Filtering 31 

Figure A. I. Attribution Technique T»xonom> ...... — .A-1 


is 



19 


Tables 


Table I . Atiributiem Techniques 


n 




20 


Executive Summary 


ThU piper siuninin/es various techniques to perform attribution of computer attackers 
who are exploiting diu networks. Attribution can be defined as "determining the identity 
or location of an attacker or an attackeri intermediary" In the public literature 
~traceback’' or ’’source tiacking” arc often used os terms instead of ‘'attribution." 

This paper is intended for use by tlic U.S. Departnteni of Defense (DoD) as it considers if 
it should improve its attribution capability, and if so. how to do so. However, since the 
focus of this paper is on technology, it may also be of use to many others such as law 
enforcement personnel. This is a technical report, and assumes that the reader 
understands the basics of network technology, especially the Transmission Control 
ProtocoUIntemct Protocol (TCP/IP) suite of protocols. 

The paper identifies the following attribution techniques: 


I . Store Logs & Tracehack Queries 

9. Exploit/Force Attacker Self- 
Idenlification (e.g.. beacons, web 
bugs, cookies, watermarking) 

2. Perform Input Debugging 

1 0. Observe Honeypot/honcynet 

3. Modify Transmitted Messages 

1 1. Employ Forward-deployed 

Intrusion Detection Systems 
(IDSs) 

4. Transmit Separate Messages (e.g.. 
iTrace) 

12. Perform Filtering (e.g.. Network 
Ingress Filtering) 

5. Reconfigure & Observe Network 

13. Implement Spoof Prevention 

6. Query Hosts 

14. Secure Hosts/Routers 

7. Insert Host Monitor FuiKtkms 
(e.g.. "Hack Back”) 

1 S. Surveil Attacker 

t. Match Streams (via headers, 
content, and/or timing) 

16. limploy Revenw Flow 

17. Combine Techniques i 


The paper also discusses a number of issues related to attributiort 


ES-t 






















21 


Tbit paper concliidet and reconunendt ihe following: 

I . There are a laige number of dilTcrenl aUribution tcchniquct. Each leehnique 
hat ilt strengtht and weaknettet; no tingle Icchnlque replaces all othen. 

. 2, Attribution It diflkult and inherenily limited. In pailicular, attackers can 
cause attacks to be delayed and perfotm their attacks through many 
Intermediaries in many jurisdictions, making attribution difliculi. In some 
cases this can be partly countered, for example, by treating tome information- 
gathering techniques as attacks (and atlribubng them), uiing multiple 
techniques, and using techniques that resist this problem (such u 
cxploiting/foreini attacker scif-idcnullcation and attacker lurveillancc). 
Nevertheless, because of the dilTiculty and uncertainty in performing 
attribution, computer network defenK should not Jtptnd on attribution 
Instead, altribulion should be part of a larger defense-in-<kpth strategy 

3. Attribution tends to be easier against insiders or insider intermediaries 

4. Prepotitiooing b necessary for many attribution techniques. 

5. Many techniques are imnuitiire and will require funding before they are ready 
for deploymeia If the DoO wishes to have a robust attribution capability, it 
must be willing to fund its development and deploymenL 

6. A useful firsl step for Ihe UoD would be to ckmtge ike lerralti of its own 
network. By this, we mean modify DoO computers and networks to aid 
altribulion techniques This iiKludes hardening routers and hosts, so 
exploiting them as intermediaries is more difTicull, limiting spoofable 
protocols, diuMing broadcast atnplifkatiotvreflection. and Implementing 
network ingress filtering. Changaig the lemin should aba be applied to key 
networks Ihe DoD relies on, to the ealcni possible. 


ES-S 



22 


I. Introduction 


This paper summarizes various techniques to perform attribution of computer aiiackers 
who are exploiting data nelworis. Attribution can be dcrined as determining the idemit>' 
or location of an attacker or an attacker’s intermediar>'. In the public literature 
•traceback” or “source tracking" are often used as terms instead of "attribution," and in 
the commercial world a major mierest in attribution is to counter distributed denial of 
service (DDoS) attacks. A taxonomy of ODoS attacks and of DDoS defense mechanisms 
is given in [Mirkovie). This paper was developed by identifying and organizing the 
public literature available on the subject. 

This paper it intctKled for use by the U,S. Department of Defense (OoO) in considering if 
and how it should improve its attribution capability. However, since the focus of this 
paper is on technology, the list of techniques may tdso be of use to many others such as 
law enforcement personnel. This is a technical report, and assumes that the reader 
understands the Iwics of network technology, especially the Internet's Transmission 
Control ProtocolTntemct Protocol (TCP/IP) suite of protocols. 

There arc other summaries of attribution techniques, such as [Lee 2002) and Dave 
Dittrich's list of DDoS attacks and tools (Dittrich). A website dedicated to surveying 
backtracking analysis is at Oak Ridge National Laboratoiy (ORNL). sponsored by the 
Office of Counter Intelligence of the U.S. Department of Energy, which includes the 
survey (Dunigan 2001). Another website records the results of the “Attack Traceback 
Suminit Proceedings" of September 6-8, 2000 (Purdue): (Buchholz) includes a summaiy . 
Silicon Defense maintains a “Traceback and Related Papers Archive" [Silicon Defense). 
However, these other summaries omit many attributioa techniques, so making decisions 
solely hosed on them would ignore important alternatives. This paper aims to fulfill the 
need for a mote inclusive summary of attribution techniques. 

1.1 Defining Attribution 

Tltcre is no universally agreed upon definition of the term attribution in the field of 
information assurance (lA). One dictionary defines the general term "attribution” as “to 
explain by indicating a cause." (MetTiam-Webster 1983]. 

This paper defines “attribution" os “determining the identity or location of an attacker or 
on attacker > intermediary. " A resulting identity may be a person’s name, an account an 
alias, or similar information associated with a person. A location nruiy include physical 
(geographic) locatiott or a virtual location such as an IP address or Ethernet address 


I 


23 


This dcriniiion includes imennediiincs. and not just the itiacker. An ideal attribution 
process would always identif) the original attacker's identity and location. 
Unronunately, clever attackers can often make themselves diflicult to directly attribute 
(and/or providing misleading infocmalion to hide the true attacker) However, even if 
only an intermediary is Hlentined. that information con still be useful For example, 
blocking an atuck may be more effective if an iniermedioiy ia known 

An attiibulkm process may alto provide additional information, such os the path used to 
perform the attack and the liming of the attack, but these cannot always be determined 
In particular, h Is worth noting that it con be diflicuh to determine by technical means the 
motivation for an attack.' 

A related term it tnceback, which will be derined in this paper as “any attribnUon 
uchnbim that begtni ttUh the defending compuler and reeuritvefy steps bachrards In ibt 
aiiati path toward the atlocker. " Thus, traccback techniques ore a subset of anribution 
techniques The term 'Traceback" it common in the public IHeratuie on this topic. 

I.I Rationale for Attribution 

The U.S.. including the DoD, it under constant network attack, and there It every mason 
to believe that increasingly capable and sophisticated network attacks will be perpetrated 
in the future. While there it a great need to luudcn DoD infrastructure from these attacks, 
passive computer network defenses cannot be, and will never be, perfect Thus, if the 
DoD attempts to passively withstand all attacks, it will evcnuioily succumb to a seriout 
attack. At with conventional warfare, a good offense is often the strongest defettie. 

However, many olTetuive techniques, such as computer network attack, legal action (e.g., 
arrests and lawsuits), and kinetic energy attacks, can only be deployed If the source of the 
imack can be attributed with high confidence. In addition, tome defensive techniques can 
only be employed if the defender has specific knowledge about the attacker's id^ty or 
location. Therefore, there is a oced for attribution. 

I J The Hrobicm 

In this paper, we assume that there Is an advcrtoiy, attacking a system via a data network, 
who ia potemitlly both intelligent and ttsourccful. This adversary will be termed the 
"attacker' in this paper. Other papers may use other terms such os 'intruder" or 
"cracker.” In this environment, the defender (also termed the victim) wants to identify or 
locale the attacker or at least an iniermedioiy so a targeted response can be employed. 


* Tliovacwaciiii|VMifk1omanirrioinlcriariKOvmDn/iBieiaornttckcrvfaMedaainlbiinatian|K*cflaeilhy 
llw auck. For etwnfHc. sat Ok tMRPA laayect "MeiTiiia Imoa of Alladian" by Pem A Jwvw, 
KamiLMyqsmaTBivMtjaK.mnrcinfai nmn ss hn iaihcpnyciaaheai.‘Ww w g i ri in >re i i|cct'ttA. 


S 



24 


Unfotlumtely. » rtKiureeful »tueker am use miui) *ppro«che» lo m»ke mrihution 
difRcuh: 

1. On Bi imetnet, djo* MkMifyhig ihc tender it normally unuted while tending 
to lit tource infonnalion can be easily forged. Forging ihe tender's idenlily in 
a message is called tpoofing {Bctlovin 1989). In particular, al the Internet IP 
level, spoofrng UDP packets h trivial. Sirring TCP packets is slightly more 
difTicull because of TCP protocol's design (particularly because of TCP’s 
“sequence numbersT but h b still possible (for further discussion, tee 
IBellovin I996| [Zalewski 20011). 

2. Attackers can use a “reflector host", who replies to a forged tender and thus 
really replies to the actual viclim. hiding Ihe attacker’s location 

3. Attackers can expluit protocols in other, subtler ways to hid e their identity. 

For exantple, they can set their IP packet's Time to live" (TTL) value too low 
and then forge the source addiess. A router will reply with an expired packet 
message to the forged source address [Templeton 3()03]. 

4. Attackers can hide their identity and location by using a "lauiulering" host 
[Lee 2002). A laundering host is a system that transforms dau in some 
maimer 

• A laundering host that immcdiilety passes that data without processing 
(other than repackaging the dau for its new source, origin, and lower-level 
protocol) b termed a stepping stone. For example, if an atucker lop iiao 
system A (e.g.. using ssh). and then uses system A to log into system B 
(e.g., us'mg telnet), then system Aba stepping stone between Ihe attacker 
and system B. 

• A laundering host that performs some more significani processing or 
intemionally inserts some delay is termed a rombic. In particular, note 
that an attacker may use a zombie to delay an attack for a long time, 
giving the anackcr ample opportunity to escape before Ihc attack triggers. 

5. Attackers may use very fast attacks, possibly measured In millitccowb. or 
may distribute their atuck over lengthy periods <e.g,. months). This large 
range of timescales makes it more diflicuh to build elTeclive attribution tools. 

Figure I illustrates the atlributian problem's environment. The thick lines represent local 
area networks, Ihe circles represent routers, and the rectangles represent other hosts on 
Ihc network. In thu illustralion, the attacker (on Ihe top left of the diagram) sends an 
aOack through a number of dilTefcni hous. which ends up al the defending boat The 
defender must attribute (identify or locale the anackcr or al least oik of the 
intermediaries) without misidcnlify ing an innocent host Although not shown in dib 
flguie. the attacker may actually comrol multiple intermediate systems. For example, 
distributed denial of service (DDoS) attacks involve a single attacker controlling a large 
number of imermediolc systems that then attack a defender. 


3 



25 





Klgnrv I. AttributioB Problem 

Modem environments often mike ■ttribution quite difficult Typical computer network 
environments ire not designed to support attribution of attackers Them are often many 
components bi a network, making h easier for attackers to hide. Data paths may go 
through many systems in many countries or may be controlled by many dilTerem 
administrative domains, mcludii^ those who may hostile or noncooperativc. Many 
networking capabilities unintcntiorully create complications for attribution, such as 
network address translation (NAT) that can change the sender and receiver address. 

1.4 Scope 

This paper is focused solely on identifying different techniques that could be used for 
attribution of attackers. This paper only examittes attribution techniques for attackers 
attacking via an electronic data network (usually an Internet standards based network). 
Other attacks, such as physical attacks, social engineering attacks, or trusted 
programmers inserting malicious code imo their own programs during development, are 
concerns but are outside the scope of this paper. Thb paper concentrates on approaches 
based on technology: non-technical approaches such as various human intelligence 
techniques are not the focus of this paper. 

This paper does not cover identifying or locating people who are not directly attacking 
the defender In particular, identifying or locating people voluntarily cooperating with 
each other is not covered in this paper, although some attribution techniques may also be 
useful in that case. [Wright 2002) describes some anribution*Iike techniques for 
anonymous pcer-ln-pccr (P2P) networks. I) also does not cover the general issue of 


4 







26 


diKovcnni nctwoA topologin (» opposed lo individual people or nodes), oilier 
resources such as the Cooperalive Assoculioo for InlenKt Data Analysis or Cyher- 
geagraph> Research' may be useful Oarting paints for such infnrmalKin 

This paper docs not cover how to detect the occurrence of an anaclc. This paper presumes 
that for whatever reason, an attack has been detected. In practice, the attack might be 
detected by components such as an intrusion detection ^stem (IDS), application, or 
rncwall. See (Axelsson 2000) for a survey and taxonomy of IDSa. There are 
alternatives, for example, a random sample of data could be attributed to ensure that only 
authorired users are using the system. Indeed, the defender could treat all data as an 
attack unless proven otherwise, though this is unlikely to be practical in many 
environments. 

This paper does not concern itself with determining ham' the attacker attacked. For 
purposes of this paper, this is considered part of ‘’characterization.' which b defined in 
this paper as 'determining how the attacker atucked. including determining the 
properties, capabilities, and relative strength of an attack.' The attribution process may 
also aid in ciuracicrizing the attack, but diaractcrizatian b considered outside the scope 
of this paper 

After altribulion, a defender may decide lo perform some response lo the attack 
specifically directed at the attacker or the attacker’s iiMermcdiary. There are many 
response options, including hotl/nelwotk reconfiguration (e.g,, lowering the bandwidth 
along some paths, disconnectkin of the allacker’s path, transferring the connection lo a 
decoy/boneypoe, or hardening/re-installing inlennediale systems), legal action, 
inlelUgence opcntioiu. computer network (counter) attack (C^). and kinetic energy 
attack Clearly, the decision of what response u> make may depend on the nature of the 
attack, the aliribiition infotmatioii, the confidence in that attribution, etc. Response 
options and decision processes are oubidc the scope of thU paper. 

Titcrc are imporlam legal and policy issues surrounding atuibulinn. but this b a large 
topic by itself and b outside the scope of this paper (Aldrich 2(X)2| examines some of 
the important legal issues involved in attribution, and notes that the law recognizes four 
&irly Astinct roles in the area of computer network defense (CND): service provider, Uw 
enforccinem, intelligence, and the warfighter. Some of these attribution lechnk|ues con 
only be used in certain special conditions or used s limited number of times, and their use 
must be carefully controlled. Some laws may need lo be modified or clarified before 
some techniques can be used, at least in certain circumstances. Clearly, attribution 
techniques must be controlled in a way lo ensure that their me it legal. Again, for more 
rnformition on the legal issues, tec (Aldrich 2002). 


' hup:.'. wani cauls atg 
* http ;>‘.‘iimvicybcf|cutnphy. Off 


5 


Imiwnjm terra in the DoD ere Computer Nciwodt AtUck (CNA) and Computer 
Netwoii Defeiuc <CND). DeletmininK whether or not m Mlrihution technique is a CNA 
or CND technique, and under what condhionts is not in the scope of this paper. 


I.S Generalization 

To simplify and sboncn this paper, general attribution techniques arc discussed along 
with speciftc eaamplci frant puMkly available literature. These general techniques can 
then be applied a number of dilTerem ways. 

In panicular. each technique can apply to man> difTcrcnl network protocols. Much of the 
public lilerature on attribution focuset on the Internet Protocol (IP) One reason for this 
focus is that IP h central to any network based on Internet standards, so any 
implementation focusing on IP is useful in many circumstaiKcs. However, attribution 
can also be supported in other pratocolt. Incliidmg Ethernet. Simple Mail Transfer 
Protocol (SMTP, the Inicmet sundard for email), insiatu messaging protocols, the 
Dynamic Host Configuration Protocol (DHCP), and so on. Rather than le-dcscribing the 
same general technique for each protocol, a tingle technique is discussed that may apply 
hi many prolocoU. To emphasize this generality, the term "message" b used iiMead of 
“P^rket’' A “message" is a unit of information for the relevant protocol Every 
“message" has a “message header" and “message cooleni": 

1, The message header provides mformation about the message, such as the 
source and destinalwn of the message. Thu mformation b used to bring the 
message to its intended recipient 

2. The message content contains the actual message This content may be 
further broken down (c-g., Iruemet mail message content may have multiple 
MIME pmu). 

A “router" for a given protocol b any component that forwards messages of that protocol. 
For example, an Internet rooter b a router for IP traflic. while a Mail Transfer Agent 
(MTA) b a router for SMTP email 

Thb paper uses other means to describe the techniques in more general ways: 

I Many techniques ciui be implemcnicd on the endpoinu (hosts) of the 
communicsiioos, on the message routers, or on separate monitors that observe 
network traflic. These ore not considered separate techniques, although the 
impact of different implcmentaiions may be noted 

2. Many techniques can be implememed either manually or in on aulomolcd 
manner Automatian of a manual technique b not coraidered a different 
technique Note that manual techniques often fail since the speed of attacks 
can be for greater than a manual technique can support 



28 


3. Many lechniquct that involve qucryini can tapond with cither ibe 
infonnBtioa being icqueited, or lim^y stoic the response and respond with an 
index to that response. The advantage of the latter appcDach ia that the 
information is stofcd. but authentication and authorization of the person 
requesting the attribution infomiation can happen separately. Since such 
authentication and authorization may take a long time, but the data may 
disappear if not stored quickly, this approach con he valuable. 


7 



29 


2. Attribution Techniques 


There ore man> difTerenl tcchnicvl approaches tho) can be used to perform amibution. 
For purposes of this paper, these approaches have been grouped into the following 
seventeen techniques as shown in Table I. The numbers with the technique names are 
simply identiHers. their order is unimportant. 


Table 1. Attribution Techniques 


Tccliiik|t»r Nuae 

T rtlittk|«« t>csei1plftM 

1. Slor* Lop 4 Tnccbaei 
Quenei 

MmafCft mt lopjed by ruuiere » they go chnMigb a network Retiuesu 
arc ifBCtd backwards, asking each footer if H has seen the message. This 
sispporti lOribution of mesMiges that were not previously Hteatifted as 
dangcroos. but the logging rouien must be propositioned, can have 
probkmaiic costs ai^ performance impknieatatioiu. and miny 
implefncntations invoke privacy cancema 

Z Pcrforai Input 
tMnigpnf 

When attacked, defenders use the anack as a query to ask adiaceni rouiers 
10 report when they sec the pattent again if a router reports, the query is 
seiri ufi to its adjacent routers, and so on. Thu approach ts ciirrenti> used 
gainst aonse ODoS anacks. but is fundamentally reactive and only works 
against enickt that cMttinoovsIy tfream dau 

3. Modi^ Tranmiflcd 
Kiewapi 

Routen mark mesaages as they are tranamiltcd so thdr route can be 
idemified this can increase bmidwHlth and'or decrease Mlwork 
performance, and can interim with some authentication mechaniimi 

4. TnAunh Sepme 
Mesufn (e^ (Tncc) 

Uhen routers route a message, they abo send a sqiarate message to aid in 
mxnbution If the sqMratc mesaages are sent for all messages, this could 
easily ovcrvrhclm network resources, but if h U only rarely done, 
anribuikm is less likely (typically only working against continuous 
flooding actackst 

5. RecoDli(iirc A Obtervt 
Netwotk 

Kcconfigurc the network, and use the information on what (if anything) 
changed to backtrack to a previous step This am be diflicufe to 
implcmem on large networks and create new security vuincrabiittses. 
*Cocioolfod Opoding** can be used on networks owned by others, but can 
be viewed as m attack on third parties and should only be used in limited 
circutnsianees 

6 Qacf) Htnu 

Query hosts for internal state uiformaiioit to aid in atirfoution This can 
be rapid, but il requires that there he a prt-oiiting query function If an 
attacker concroli the host, this akrt the attacker sod make the 

information much less reliable 


















30 


TirtMit 9 «t Nun« 

Ttda^w Dawflptta 

7. iHcn Hum Mcsniiar 
hmouam itf., ~tl>ck 
Back*) 

Immi cpweyinc ftitirtioariity aflo a hoai that ikm aot already faovide dua 
aifnrmmioa (aota the iliiMlaiity to ''Cuary Hoets*V A **hack ba^” ia 
dctiog Ihn adbcpul penniasicn of dw owacr, mid dearly re^airca 
ugnifkafii icpi amtioL If an a&adre cooirois ibe hoat. this may alert 
tlw anackar and make the mSannatioo mach lea reliaMe 

I. M«cfa Streams (via 
Imaden. coniem. amUir 
IMHAfl 

Otoervc the sereaau of data catertnt aod cuuaif a nctvimrk or hoat. aad 
ctotormlM which iapnt oreams auuch which output itrcanM Tlai can aad 
attrilimioa wilhoat needmg to know die inianial stole of the iwivnirk/hoat. 
ban matcbrng ia a difncah technical prehicm, particularly i^iaet delayed 
attoclis and cneiyiitkifi ecaamng aitidc the naiwofllKiai 

0. EA|iloil/ Poree Aitacier 
Sdf-McaO-fkaUM 

Use tofoamatiaft the anackcr seadi, Itaemionnily or not. to tdemify die 
attacker la aofa* cases the deloMler can cause the aaackcr to scad ihta 
data ^liai this lochiuque woits, it can directly reveal the attacker 
rcgardleto of how wefl diey hide oiherwtM. hut tiiafiy of these tochntout* 
depend ofi MgMy tochni^ atid apaciatiaad appsoachci (e.g.. hcacMis. 
wvb bugs, csohita. and wtocnnarkmg) that are caaily Ibilad once m 
attacker kaowt aboul them. 

10. Obsenv lioncyprt? 
honey iwl 

Hooey poivhoney acta arc daooy tyiieato; anytme uaiag them to by 
deflmtacin an aitocker. Zowihiei placed hi honeypatolioncyiMls can hr 
revealed lattantly Howtw, boacypouAioaryneto imnt ^ montocifcil 
and analynd (retoatrtag ugnUkena espemse) and can only anribme 
totackf tlMf go dinregh diem 

11. Employ Ponvartf* 
depteyod Imnasoo 
Ovloctton Sytmno 
(IDS*) 

Haoe aatnoion detection lytocm* (IDSa) aa dote aa poeathle to poacntial 
totackert (laatead of near the defended asaeto). The efhctiveiiea of diis 
approach depeadt on die placement of die IDS* (diey thould be ^oie to 
the totocker). Thii technique oflen retouires l■gm5cant moniloaing eilbrt. 
wawe IDS* are prone to many bbc posnivea and Use nefaUves 

12. 9'cffona PilicnRt (e.^ 
Netmofi Uiireu 
rilMnati 

Filler meis^et so dial cartaia link* only permit messafcs to paa if they 
meet ernena that erne atiribuuoa. Aa a^anfagr of the general techn^m 
to that H to oftan trentparant to user* and requaes no addicioaal itDraga. 
tha infoeamlon for anrdniuon to laored m the metsagr itarif A 
disads antaga of the Mchniqac to dial h to prwiartly only aiefol for 
antihutian of uaamal setaci locaitons. and olltn only idinPfics a rangt of 
poasiblc altnbutMn vahies (not a ^iccilk tocacion or idciitityl Ofttn 
there miM kc multiplt diffoeem paths a aressege can through, 

creatmg amb^uities that weaken the toehnique’s cffiectivencM An 
imporiaai approach wiptcmenong the toehnlque to *iiecvmrk mgreis 
(llianng.** which requires dial all mcnuca eniansqi a network have a 
aomce addrea n a valid range for thto network cmr> point Network 
ingrem fUtertag far IP to easily nnplemcmad snii^ (he cdsclag TCP/IP 
mfrastracture. and em be deployed mcreraeaaaily (one nctwarh at a tanci 
However, for a given network, networi ingress liltering must be 
unplamcntod by nearly every enoy pomt of that networi to be effoettoe 

13. tnfilaneQl Spoo/ 

fmcmiiai 

spoofing (forging *‘hom*' mfaraiecion). Thto greatly rethaeas the mimbcr 
of niiLiinidlaai systean doe need to be emaaineii but oRon proeocob 
amh'or rnpIcfBentatsaai camioc he eaitoy modified to do so. 


10 

















31 


TtriM^Mc Nmm 

Twhalqsv Dwertpiiaa 

14 Scciirt Hosl^ R^niicn 

Sccur? IvMti Mid riMien lo ttducc the mimbcr of weioeeni ntermcfbiie 
lyMatu iveiliiik to m Mseko. fliie M MOtfed ib my eew for coriihbo 
Mcortt). but perfect MC«rit> li •npruBKOl «Mt lliis doei not acnuUly 
perfoem eonbcHioo • il rnervlx makn the problnn cnicr lo toHre 

UL Sarrail Anaeko 

Dirccsl> wnrdl liUljr or kaown ntBckm TMt cownen vnpfofticaled 
Mucker iecliMM}nc&. bid tequnp pre^enuttRi knowledge of the likcl> 
enicker't Mconty. Mid mmk aiucken we eKtrctncfy dlffkab lo Mirvcil. 

Enfilo^ lUvcnc Flcn* 

Specully MMi dMa Oowwi btk to die MJieker. wid then heve 
inicnwediMe lyttam detect these markings tlkU can ince thrantfa 
stepping MoNOv but re^nires deiecton of these reverse flows Mid may be 
thwarted by cacryplkM. 

17. Comfeiac TcctoiMian 

Combme mirv than ooc tedmigue Thii is more likely lo ntcoced than 
Miy one techaMpie. but wlU gcMrally «oa iMore lo do. There n hole 
experieiice in camblnMig techiMpies. and remendier “garhagr bs. gwhage 
om** 


This paper does not claim that this is an exhaustive survey of all possible anribwion 
techniques. However, it is the most complete survey available to date, and should be 
useful for future work and lerinement of attribution techniques. A brief taxonomy of 
these techniques h given in the appendix. 

The following subsections describe each technique Each subsection describes the 
technique, provides specific examples, and closes with a brief commentary on the 
technique's key adv antages and disiMh antages. More specific instances of a technique 
are called "approaches" in this paper, there may be many different approaches for 
impleinenting a technique 

2.1 Store Loxs & Tracebnek Queries 

In the "store logs & traceback queries" technique, the Uansmitlcd messages (c.g., IP 
packets) are logged by routers as they go through a network. The messages may also be 
logged by the sending and receiving hosts. A log need not store an entire message, e.g., it 
may store a subset of information such as only the toTram information. A log need not 
store every message, e,g,. it may store only initial messages between parties. To trace, a 
rtspiesler goes backwards, querying each possible preceding router if the message or 
something related to the message (like a pattern or hash) went through that router. 
Obviously, queries using this technique can only work if the necessary information to 
support the query has been logged. 

Figure 2 illustrates how this technique works. Presume that the routers (labeled A 
through O) log all messages, and the defender is attcnqrting to track an attack backwards 
to the attacker, llnfoitunatcly, the attacker is employing a rombie to hide his originating 
source. The defender would query router A if the attacking message went through router 
A. router A would reply The defender would then query pouters B. C, atsd D, since 


II 









32 


itiOK rouloi BT connected to the next neeworit. Router B would reply tuggeding 
that the attack did not go through that route. Router D would aliio probobt) reply ~no~, 
aince in most coies a /ombie would change the mesMge to that the connection could not 
be eaiily determined from a log Router C would reply “ytt", suggesting that the 
dcrender query further at that point At this point, the defender has at least identified an 
intermediate network, and possibly the imermediale node on the network. The defender 
may even be able to backtrack futlher through the zombie, depending on the logged 
information. 



Figure S. Store I.ac* ft Trsceback Queries Technique 
This technique con be subdivided into two pans: logging and querying. 

2.1.1 Logging 

From the point of view of attribution, ideally every router would log every message and 
keqi that log in perpetuity. In practice, this is undesirable: such logging may have 
unacceptable performance, storage space, or privacy implications There are three ways 
to rectify this situation: 

1. Itinu the mmbtr of meisagrs logged. For example, store only the data 
destined for an especially sensitive dcstinoliun, or only pockeu that appear 
“suspicious." 

2. Limit the amount of data stored about each message For example, store only 
such as connection information (e.g., to/from information for only the Initial • 
message of a session), only to/from infoiniation from each message, only a 


l( 








33 


njbsel of Ihe imauagc (e^.. m inhUI fragment), only haihe> of the message, 
or only hashes of a subset of the message. 

J AcetfM the undumMe le^tcatmm For example, buy large disk arrays or 
massive memory arrays lo store the log data, buy faster processors (or more of 
them), and accept privacy risks. Clearly, limiting the number of messages 
logged and Ihe amoum of dau stored about each message is more destrabic 
uherc possible. 

The criteria for selecting messages lo be logged, or Ihe amount of data to be logged in 
each message, could he changed dynamically. Dynamically changing these values could 
be accomplished by connecting these values with tnlrusioa detection systems; see Ihe 
forward-d^loyed IDS discusaion below. 

What dau b dored. and how h can be retrieved, also has legal and privacy ramifications. 
In some circtunsrances, recording or relticving information about a message (such as 
fmmito information) may be considered different than recording or retrieving the 
message itself. In trisditiorul telephone systems. H‘s possible to obtain (with a warrant) 
information on who a suspect has called (pen register) or who has received calls from Ihe 
suspect (trap and trace) Warrants for pen registcritrap and trace (PR/ 1 1 ) Information (as 
It's called by the law enforcement community ) arc often easier lo acquire than recordings 
of Ihe actual message traflic, which enjoys stronger legal protection. 

It may be easier lo store message hashes than messages themselves, since hashes are 
usually for smaller than the messages they hash Thb b especially true in higher protocol 
levels, where one higher-level message may be implemented by many lower-level 
messages. Storing hashes instead of the actual daU is probably mote palauble legally 
and socially at well. Since the dau itself isn't stored, hashing only supports aitribution 
for daU the requestor has already seen, and does not reveal the dau itself Storing hashes 
(instead of actual diU) appears to be more akin lo PR/TT dau than lo a recording of the 
message, though it b unclear if the courts will agree to thb viewpoint. 

One useful approach to logging evenu U logging authentication records for every 
Bulhcnlicalinn event (e.g., host login, ftplutp login, etc.), along with information such as 
the network address of the requestor. Reservations of resources (e.g.. DHCP) are also 
useful for attribution. A log could be kept of every email received and sent (including the 
IP addresses of the other party exchanging mail, the fromAo addresses, and a hash of the 
conlcMs). 

One problem with logging b prolceting the logs themselves, particularly if on atuckcr 
gains administrative privileges over the system generating or storing the logs. A partial 
solution b to store logs on a separate machine from Ihe machine performing Ihe 
octivilies. As long as the logging system itself b secure, an atucket may be able lo use 
other systems lo append inconeci dM but not remove correct data. 


13 



34 


|Saj|cr I9V8| describes capturing flow mfomution from Cisco mwers that may be UKfiil 
for miributioa. This infotmation includes (reporled) source and deilinatnn IP addresses 
and pons, number of packets and bytes, IP protocol, and TCP flags 

One unusual solution for high volume IP packet-level logging Is named Source Palh 
Isolation Engmc (SPIE). In the DARPA-sponsoted SPIE approach, IP packet hashes ore 
stored using a Bloom fiher lo store the informalinn eflicienily (see (Snocrca]). The SPIE 
approach dramatically increases the amount of data that can be log^, but even ihcn. on 
high-raic routen (c.g., IP routers on an Imcmcl backbone) this is still diUkult and 
capensivc for software-only implementations lo perform in terms of memory sire and 
memory performoiKe. However, on low«r-spetd software routers (or where only a subset 
of packets are logged) this b not os difficulL [Sanchez 2001] deKribes the design of a 
hardware unplementaiion of SPIE. and suggests Ihu Ihn would make SPIE practical at 
high speeds for relatively small amounts of money.' An Inicnict draft discussing 
mceback protocols, includiog SPIE, b avaibbic [Poiuidgc 2001], The developers of 
SPIE arc working w ith Ifac Internet Engineering Thsk Force (IE1T) working group on 
iracebock ptoiocols and appear lo be actively comimiing the work. 

Mott of these approaches presume that logging b decentralized, and queries ore mode 
againit the logs later. Logs ore often decentralized, because the overhead of transmitting 
logs to a central location, and then performing analysis at a central location, docs not 
Kale well to very large networks. Nevenhclcu. thm are ihoK who have established 
cemraiized logging facilities for at least a portion of logging data, and then use the 
resulting information for attribution. For example, the Distributed Intrusion Dctcctioa 
System (OIDS) is a hoai-boaed approach Hut attempu to track all users in a network. 
Each monitored host sends abstracu of the audit trail to a centralized OIOS director for 
further oiulysb. Note that DIOS establishes a “Network-user 10“ (NIO), and audit 
records of session statu (logins) are Knt to the ccMiaJ DIOS diiector. As a result. DIOS 
b able lo track users movmg through the network using normal logiiu when inside the 
DIDS-coveted network [Snopp 1991a. 1991b. 1992, Ko). 

A for more extreme version of Ifab approach b the fint approach suggested in (Aikin 
2002). In thb approach, all public network UafTic b logged for a period of lime, and later 
the log of all octwork traffic b searched. First, a quety for the nelwork-vbiblc pouem U 
requested, and then queries lo flnd any Inutsmission of the source code that caused the 
pancm are made. The presumption b that attacks lend lo be tested at first in smaller 
regions, and so by idcnti^'ing early attack tests it may be eatier lo identify the attacker. 
Searching for early venions of the source code may also aid in identifying the real 
attacker. Finally, profiles of attackers arc built up (e.g,. based on unusual approaches or 
tootkiu). so attacks on difTereni targeu can be correlated lo help identify the attacker. 
Thb approach depends on a massive storage system monitoring and logging dou from 


SolhnR thn nistmienis SHE. md nkaed fapm, mt availaMe n hmJ/wm r b ta.Mn.wrmcis'SWF. 
The loftwwe a opea soom lo l twst c ' t rK loftwan awter la MlT-slyli iKnae This loftwae ma 
developed far pieeBSO-s J end Umn-yaZ hui a can moMiiir packns bom abdiw) ii|ic«in| lysams 
«d the mpfiMcSi thoold easily apply In odwr openHuic rynenii 


14 



the cntiir Internet (or a lignificanl portion of h). The leyal and tocial iuues of such a 
system are not addressed in Atkin's ptqter 

2.U Querying 

Querying can be performed maiwally (e.|^ using telephone calls and eiruil to upstream 
routers) or auiomalically. Manual querying is cutrcntly necessary in most cases, and may 
always be ttecessary for querying in some locations not under a requestor's contrul. 
Supporting manual querying requites an efTicient way to identify the poim-or-conlact for 
each router: existing debates (e.g., WHOIS for IP routers) sometimes provide this 
infrxmation. but techniques to ensure their voltdity would help, and not all protocols have 
a system for idemilying points of contact. 

However, manual querying is necessarily limited to slow human response times. If more 
rapid response is needed, then query ing must be automated. To support automated 
querying, a protocol is needed to query 'upstream" logging systertu. 

(Sieme 2001) (Schnackenberg 2000] describes the Cooperative Intrsnion Traceback and 
Response Architecture (CfTRA), bated on the Intruder Detection and Isolation Protocol 
(lOIP), which can per f orm this aervice. Note that in CITRA’s case, the 'CfTRA-cnaMcd 
Limn routers in our testbed perform traccback by creating audit records for network 
flows on on ongoing basis and exomintng them for attack path evidence when presented 
with a traceback request." IDIP was developed by NAl Labs, Boeing PhotUom Works, 
and U.C. Davis under a series of DARPA contracts 

IStcme 2001] iIki references AT&T's woik on "Aggregate-Based Congestion CoMiol 
(ACC) and Pushback." which proposes a similar inter-router signaling protocol, and 
mentions other similar approaches such os Arhor Networks' and Recourse Technologies’ 
MonHunl. 

Note that some protocols that query "current stale" could be modified to also examine 
logs instead. For example, the fiesskm Token Protocol (STOP) jCairier 2002], described 
later, could be modiricd to examine logs and not just the current stale of the system 

(Asaka 1999a. |999b. 1999c] takes a different approach to performing queries. Instead 
of sending a query to the system containing the logs, the 'manger" dispatches a mohrle 
agent called the ~trBcing agent” to the system where tracing is to occur. The tracing agent 
activates an information-gathering agent, which collects infomuilion from the system log, 
and invcsUgoies the point of origin of the Mari Left by Suspected Intruder (M1.SI) based 
on accumulated data about the network connection and processes running on the system. 
Note that this approach is actually a hybrid of the "store logs & traceback query" 
technique and the 'bnett host monitor functioiu" technique discussed below, since the 
mobile agent is mserlcd into a running host to perform queries on the current state of the 
system The tracing agent then repeatedly moves to the next target system on the tracing 
toute, activating a new information-gathering agent. This approach hu the advantage of 
reducing bandwidth ute (since entiie logs are nM iransmillcdl, but requires that various 
systems accept and execute mobile agents to examine these logs. 



36 


N<Mc tJut quci>’ing could respond with in icluil loswcr. but m illcraitive U to simply 
store the answer. If an answer is stored, a router would usually need to automatically 
send a “please store the Infonnatkin" query up further when it htu seen matchuig 
information, to recursively acquire and store the information. There is also a need for a 
separate querying mechanism (which nuy be manual) to actually retrieve Ihe stored 
information. Storing answers for later use resolves the problem that complete logs cannot 
usually be stored for a long time. 

As with all the other entries here, querying it not limited to IP packets. Also, querying 
can be especially useful for authentication servers. An example would a query to ask an 
ISP what user is cutrently allocated a given IP address (if users are authenticated and then 
dynamically allocated an address through protocoli such as DHCP). 

2.1 J Advantagea and Disadvantages 

This technique — logging and taler querying — is easily applied to a wide variety of 
circumstances. The approach is widely implemented for host logins (with manual 
querying), and many of Ihe references above discuss implcnicnlation approaches for 
implementing the technique for IP pockets. Indeed, most authenlicalion systems con 
easily suppoit log A query, aiding later attribution 

A mqjor advantage of these systems is that they support after-the-fact attribution. In other 
words, an attack can have already completed before the attribution process begins, and 
some otthbutioo infotmation may still be gleaned. In contrast, many other aniibutiaa 
techniques do not support after-the-fact attribution, 

However, there arc also many disadvantages. Log A quay systems must be pte- 
positioned to perform logging of the relevant data before the cvenL Since it is diilicult to 
determine abead-of-time what will be relevant, this leads to storing large amounts of dam 
in the logs about each event, in cam it might be relevam lata. The combmation of a busy 
network and large amounts of data pa event quickly leads to large logs, resuhing in large 
costs (to store the dots) and performance overheads. 

2.2 Perform Input DebuKtfing 

Unfortunately, the term “inpul debugging" has acquired a number of related meanings 
For purposes of this papa, the term “input debugging" describes a process where 
upstream routers (that is, routers oik step closa to the atlscka along the attack path) are 
given a pattern (e.g.. a destination address or attack signalure) by the victim, and asked to 
report Uk next time they receive messages matching that pattern. This pattern is 
somethnes called a signorunr. The term “input debugging" is used in Ihe lilaalure 
because the process is somaimes viewed as being similar to program debugging. 

This technique is in some ways similar to intiusion detection systems, but iMc that in 
input debugging the pattern is only given sfta the attack has begun. Aho, In input 
debugging. Ihe pattern is often a charactaistk that is not by itself an attack (c.g.. a 
deMinotion address or pon). Inpul debugging con be docK manually, but manual 

1C 



37 


debugging is limc-consuning. Manual inpin debugging is especially lime-consuming if 
it is necessary to gain the coopentioo of upstream loulers oulside Ihe organiwion 

It is possible to do input debugging one step at a time, by going back one step to all 
possible mulcts and making an input debugging requcsl. and when the “correcr path is 
located, Ut go back one step in that direction. An ahenialive is to “flooir all possible 
dircclioiu (say to a cenain depth) with the request. Flooding, however, can overwhelm 
on infnuliucuiie. and supponing such approaches can be especially hard to secure if 
automated. 

ISchnackcnbcrg 2000) proposed using Intruder Detection and Isolation Protocol (IDIP) to 
facilitate this kind of intcnction between routers involved in traccback (note that IDIP 
can support other kinds of interaction as well). (Cisco I) and (Cisco 2] inscribes Cisco 
router capabilities for supporting input debugging Many Cisco routers have Ihe “log- 
inpul* command that can aid finding one hop hack, and many models alto have a 
command “ip source-track" that enables IP source tracking on all line cards and port 
adapters for the IP address of Ihe staled host- Note that to use these capabilities, the 
Cisco Express Forwarding (CEF) option must be erubied This is not especially limiting 
for users of Cisco equipment, because most high-end Ciaco routers on the Intsmel (c-g., 
tunnmg as backbonia) nm CEF or d'lstribuled CEF (dCEF) for performance gsitu. 
(Thomas 2001] describes how to use Ciaco routers and their “NetFlow" capability to 
trace back to an attacker's entry poinL This approach also only works well if CEF or 
distributed CEF (dCEF) is enabled. An older p^ script named DoSTrack aulcmuilcs this 
approach on Cisco routers, but it docs nor worit if CEF b enabled. DoSTrack b no longer 
tnaimained (Slone 1999] 

A different approach b described m (Van 1997), which presupposes the use of an “active 
network." In an active network, packets can include programs for routers to run, along 
with regular data in this approach, tracing hack b perfocmed by programs sent 
backwards on the network to dw “previous" router, rcpcalcdly going bock to trace tn 
attacker by running a program to implemenl the pattern rruilchtng. (Von 1997) only 
discusses its use in halting an sitsck, but H appears that it could also be us^ for 
attriburion. However, the ability to cause arbitrary programs to run in routers U likely to 
create many new vulnerabilities. Examples of new vulnerabilities include network-wide 
dcnial-of-servicc if a packet stoim can be started, and entire networks could be token over 
if on attacker can insert malicious programs into routers. In addition, dib approach is 
likely to severely impact performaiKe. Thus, this approach has many dangers and may 
he impractical. 

(Dunigan 2001] describes a small prototype testbed using separsle “tracer daemons* on 
each (local area) network instead of tracing on Ihe routers themselves. These tracer 
daemons could control their "downstream" router, uid could query tack one hop to the 
previous “tracer daemons" Communication could be secured using csimmon protocols 
(such os the ssh ptouxol). This approach enables tracing wuhom modifying the routers 
themselves, but dK paper notes that it would be better if thb funaionalhy were inlegraled 
into Ihe rosuers themselves. 


17 



38 


lloumidii 2002] discusiet “puthback" of aggrcgite-bued coagcstion control (ACC), lo 
ratc-limii certain signatures and send ihoK limits back. Further informalion is in [Flo>d 
2001 1. The primary purpose of the approach is to support anack response, not anribution, 
but the system does send messages back downstream and could be modified lo support 
attribution 

Input debugging it a common approach for handling distributed denial of service (DOoS) 
attacks today. Today it it often implemenled manually, but manual implementation limits 
its scaleabiliiy. Even when automated, however, ittput debugging has its own 
disadvantages Since this approach has no memory and It reactive m nature, it cannot 
find past attacks or attacks that do not continue to send data. Instead, it it only fully 
eftective against continuously streaming attacks 

2J .Modify Transmitted .Messages 

Another anribution techni<|ue involves modifying messages (e.g.. packets) os they go 
through a network to aid anribution. l^rpically, this involves the various routers 
modifying the message to include idanificatioo of each router the message went through. 
In tome tense, this approach it like logging, but the log entries arc tent as part of I)k 
message. 

There are many varisliont on this theme: 

I. Sodr append In the node appending appeotch, information is added lo the 
metstge header (e.g . IP packet header) speciftcally identi^ing each router the 
messagt passed Umugh. In short, evety router adds an identifying marker 
saying. “I taw this picket" before retransmitting the dua. This Is 
conceptually similar lo the record route option of IP. At the IP packet level 
this approach it an extremely expensive operation (in terms of p^ornunce). 
il often disablet hardware support and rapidly increases packet site. Some of 
this approaches' disadvantages (when applied at the IP l^el) are discussed in 
[Doeppner 2000). where it is termed 'dMnminisiic router stamping." Thus, 
w-ays to narrowly select the relevant packets can be helpful when applying this 
approech or the IP layer. 

Note that unless the informalion b authenticalcd in some way, attacken can 
significantly weaken ihu approach. The Deciduous approach (Deciduous, 
Chang 1949, 2000, undated] uses IPSEC's Authenlkation Hcadm (AH) U> 
ukMify at least some of the routers along the way; in this case. AH b used U> 
create an authentication mechanism. 

This approach b easier to apply at big)Kr application protocol levels, where 
there b usually more data in a given message. For example, SNfTP mail 
iransfcT agents (MTA) for normal Internet email already add this routing 
Information when they forward email (though they do not normally 
authenticate Ihb infocmilion). 


IB 



39 


2. Algebraic tncodmg Exising *p#ce in ■ mcuagc header can be uaed to 
provide the atuibulion inromnlion through some sort of encoding. This h a 
uscAtl technique vkhen the incuage size should not be changed. In 11*, the 
Quality of Service (QoS) area is sometimes used for this pur]x>te since many 
organizalioiu do not use the (?oS Information. Encoding routing infotmalion 
into the packet in place obviousK iimits the amount of information that can be 
insetted. (Dean 2001) discusses a technique that uses algebraic encoding; 
their implemcnuuioo stores the encoded value in the IPv4 "fragment id" field 
(and thus interferes with IPv4 fragmentation) Note that the approKh in 
(Dean 2001) emphasizes the algebraic technique, and the approach could be 
still be used by storing information in other locations; Ihctr generalizations 
involve randomization, which is similar to the PPM concepts described next. 

3. Fmhahiliaic packrt marking (PPM). In the probabilistic packet marking 
(PPM) approach, a router randomly determines whether or not it should set 
information about die message's route into a given message. The defender 
can then use a set of messages to determine the route. Note that in most 
circumstances a number of messages must be received before attribuuon can 
be made. Sec (Savage 2000 and 2001) for an approach, including an encoding 
approach Note that there arc some special difficulties with PPM if an 
attacker attacks the mechanism itself. e.g.. sec (Park 2000). However, 
attacking the mechanism itself might provide warning of an undetected attack. 

See also (Song 2001) for techniques to improve the reconstructiem nf paths 
and authenticate the encodings: (l^ 2001) also examines the iqiproach. 

4. Rouirr Stampatg. Router stamping is described in (Doeppner 2000). It is 
very similar to probabilislk packet maiking, in that a router randomly 
determines whether or not to mark a given packet However, if a router 
chooses 10 mark a packet it then randomly chooses one of a fixed number of 
slots in the packet that can be used for maiking. To counter forgeries, 
administrators may tell a given router to change its maiking for any particular 
target; incorrect markings arc revealed at forgeries. 

Note that instead of marking messages at each router, a network can be established and 
mark only si the entry into or exit from that network (with each entry point being marked 
difiTerenlly). 

CS3’s MANAnel’ (based on previous DARPA work) implements modifications to the IP 
header structure to record the paths over which packets are being Iransmiticd (e-g_ in an 
organization's large intranet). MANAnet assumes that a typical router has no more than 
16 pallis; if this is true, an cruire path can be coded using 4 bits per hop. by having each 
router add the padi on which the packet was received to the list In addition, the IP 
address of the first router to admit the packet to the network is recorded in full, adding 


* See him /■•wu IWIt* — wi ■ ?nii?i 


l» 



40 


iDolher 4 bylet (in IPv4), If the fnaxhntun number of hope to be expected to be lexi than 
32, the entire path can be recorded ai a 20 byte expomion of the header. For the purpoact 
of attribution, the mam camponent b the “MANAnet Router” which implemenu a 
proprietary modined form of IP called Path Enhanced IP (PEIP); each MANAnet Router 
addi the place from where H got a packet to the packet before it forwardv it. The 
approach it reviewed by [Dietrich], who notes a number of problems with the approach. 
TUt includes near-universal imposition of ingress liltenng before it can even be 
deployed, modificatian of IP headers with support by all routers, a resource forecasting or 
reservation mechanism, and a means for determining the real source of packets. In 
particular, it questioru whether the computational techniques can be implemented in the 
fast paths of backbone routers, as well as concern for a proprietary modified form of the 
open IP standard. 

This technique has the advantage of not requiring separate logs and a separate query 
system, and thus attribution mfomution it iimnediately available. Alto, there is no need 
to store and manage logs. 

ITie technique also has many disadvantages. One obvious disadvanuge is (hot this 
approach can greatly increase bandwidth loquircmcms and'or severely reduce 
perfocmanee. This is not only riue to the increased dou and processing requirements; 
these approaches iiuy disable hardware and software optimizatiaos employed by soiik 
routers Iheie are many siluations where changing a mes»ge it impractical, for 
example, h may defeat authentication mechanismt since those mechanisms may delect an 
"unauthorized" change to the message. Ensuring that this data is correct (and not from an 
allackeri is also dillicult. Note that this approach rtquiret the cooperalicm of remote 
routers to add the necessary information, Implying the need for a standard way to insert 
this data. 

2.4 Transmit Soparnte Messages (e.g., iTrace) 

An sitemative similar to modifying Iransmitted messages is to have routers send separate 
nsessages that can be used to support attribution. 

The lETF's ICMP Traceback Working Group has been working on one such approach 
called "iTnoe." which sends traceback messages a small amount of the time (e.g.. 
|/20,00D packets); their website is at httn.'^www.ictf.org'html charicfvllnicc-chartcrhtml . 
See [Bcllovin 2000] where the ITncc (ICMP Incehack messages) are ditcutacd. 

[Msnkin 2001 ] describes an “intention-driven" modifkaiion to iTrace: an iTrace message 
Is only sem towanls a path that has registered an "interest", and that interest infomtation 
is shared using a minor modiricaiion of the standard Border Gateway Protocol (BGP). 
Indeed, the paper argues that the simple original iTrace proposal was essentially 
ineffective without this cxlemion, although this modiricatioo rt<|uires more effort to 
impIcmenL (Mankin 2001) also experimenlcd with a heuristic that preferred longer 
paths, to increase the probability that more useful path infotmaliao was sent, and the 
results appeared very eiKounging and to improve the usefulness still further. Sec also 
j Wu 200 1 ] for mote information. 


20 



41 


Note that these apfeoachci could be modined to raise the probability in cenain cases. 
For example, a router could decide that anything sent to a Hnsilive domain (e.g.. 
“.imiljnir in a (aravsay external roulerl could have a 100% chance of a trace mesxage 
also being sent. Note that the trace messages could go through a dilTerent path or 
network (c-g.. to prevent intereeption or to increase confidence in the trace message). 

These separate messages supporting attribution could be directly received and processed 
by the rcciptcM of the original mesuge. Hossever. they could also be observed by 
routers and systems observing the netwo^. 

An advamage of sending separate trace messages b that, since the original messages are 
not changed, many of the complications of changing a message are avoided. For 
example, hardware acccIcTalors in routers often work with this techniriue (they are 
sometimes disabled if the Uansmitiod message b modifled)., and since the origtnal 
message is not modified, the approach will not interfere with authctuicatian of the 
original message. 

However, using separate messages has disadvantages as well. Since the messages 
supporting tracing may be routed separately frooi the message being traced, extra effotl b 
required by any implementation to associate the trace message with the mesuge bcir^ 
traced. Tte technique couM euily overwhelm network lesources if a single mesuge 
becomes the origin^ mesuge plus a message from every router the original mesuge 
encountered Thb is particularly true if trace messages could trigger tracing themselves; 
if thb b possible, cascades of mesugo could exponentially overwhelm network 
resourcesi, but if trace messages arc not themsciscs tra^. attackers may work to make 
their attacks look like trace messages. Practical inqilemenutions must only send sepotale 
trace messages in special cases (such as the low piobabiiKies suggested by iTrace). In 
other ways, the advantages and disadvantages of traissmitting separate mesuges arc 
similar to modify ing transmitted messages 

13 Recanfigurc & Observe Network 

Another attribution technique b us tcconfigurc the network, oburve what changes, and 
use this infonnation to identify the source or a route hack to the source. The 
reconrigunuion could be direct (e.g., changing dau fat a router table) or indirect (c.g„ 
performing an action that sigiiifkantly changes the network behavior). 

For example. Burch and Cheswick (Burch 2000] describe a particular imptementation of 
the technique called "coitlrollcd flooding.** Controlled flooding floods candidate 
upstream routers, and then watches for variatioiu fat the received packet flow to 
determine if that router is in the path of the attack Hosvcvcr. thb approach could be 
viewed as a DoS attack on those routers. Thus, “conlrolled flooding" is an interesting 
approach but one that should only be used fat specialized cfactsmstances. One major 
adv antage of conlrolled flooding over most other techniques is that it can work on routers 
tiuu ore mu prcpositioned or coordinated to suppoct otiribulkm (Savage 2000, soetkm 
2.Z.2) (Savage 2001], Also, controlled flooding is only eflective for continuously 
flowing attacks, such as typical ODoS attacks 


Zl 



42 


Another variation on this theme is Centertrack as described by [Stone I999J In this 
approach, an overlay netwotk is created that links all ISP edge routers to a central 
tracking router (or nettvork of tracking routers) Dynamic routing it then used to redirect 
all packets destined for the victim so that they will then go through the tracking routers; 
then bop-by-hop approaches are used to find the source. Centertrack it ideiuificd as a 
"defunct research pct^i" in [Dittrich). 

Active networks alto fit into this category. Active networks pcmtii programs to be tent to 
network infrastructure componertts (e.g., routers), which then run and change the network 
behavior Once csamplc is [Steme 2003), which uses the secure ANTS execution 
emironment The paper also discusses nuny other active network activities and related 
papers. 

An advantage of this technique is that, if the network being reconfigured is large, it may 
be possible to very rapidly identify the attacking source However, the technique also has 
disadvantages. Direct control over a large network can be diflicull to implement, and can 
create its own security vulnerabilities. Indirect approaches (such as controlled flooding) 
can be viewed as an attack, and thus shotdd only he used in limited situations. 

2.6 Query HtMta 

Another attribution technique is to query hosts about their stale. Thb includes using 
cxiuing services In perform such queries, or adding new services lo hosts tn suppoci such 
qucrica 

An authorirod administrator can ux cxisong host tools (such as siandard adminismtivc 
tools) lo monitor an attacker in certain circumstances. These functions may not succeed 
if the attacker controls the host, because the attacker may subvert the tools used to do the 
monitonng. This is particularly a problem for administitnive tools normally on the host; 
an intelligent adversary b likely lo know of such loob and lake steps lo subvcil those 
them. 

[Carrier 2002] dcKribes Session Token Protocol (STOP), an approach for iraccback 
ihrouKh a host toward ha sender. The STOP approach extends the standard 'idenr 
Mrvice lo pennit cxlenuil entities to query about active processes. Once a query b sent, 
the system then examines all incoming conneciinns lo lhal set of processes, and con 
recursively trace back to previous hosts. STOP has die nice property of being an upward- 
compatible extension to an existing service and b able to rapidly backtrack lo ordinary 
TCP/IP connocliona. STOP has been implemcnicd, but only for Unix-ldte systems (there 
b no known reason the technique could not work for other systems such os Windows). 
STOP iolcmionally stores information about the traccback, and merely mums a hash 
sufTicicffl lo request the real data ol a future time; thb b an rffeclive technique for 
supporting pnvacy, but thb approach docs limh its capabilities (the requestor cannot 
control the recursive traccback. so an attacker may thwart simple attempts to trace bock, 
and an attacker mli^ easily be alerted lhal a traccback is occurring). It should be easy to 
extend STOP lo immediately report its data lo a trusted third party (such as a CERT), 
presumably using aulhenlicatiun and encryption When wc contacted the developers of 


S2 



43 


STOP in AiifuM 2002, wc learned thal Ihcfc air no plana to commerclali/c STOP and that 
the authoni of the paper have noi woekcd on STOP since they wtoic the paper. 

An advantage of querying hosts b that it can quickly provide information. A 
diudvantagc is that an attacker may control this informalioii, making the infoimatian far 
less rctbble. Abo, this technique presupposes that a query function already exists. If 
there is no pre-existing query function, then one will need to be Inserted, a technique b 
described in the next section 

2.? Insert Host Monitor Functions (e.g.. "Hack Back") 

If a host does not include a service that provides needed attnbution information, someone 
could odd such services after an attack has been detected 

An authorized administrator can odd host monitoring tools In certain cireumslancet, 
sometimes using standard administrative tools. These toob may not succeed if the 
attacker controls the host, because the attacker may subvert the tools used to do the 
monitoring. One ahemative would be to clean the compromised system and odd 
monitoring fuiKtiont during that cleaning process, but this may thwart eiforts to attribuU; 
an ongoing attack. 

(Asaka 1999a, 1999b, I999cj transmits mobile agents (termed "tracing agents”) into 
systemt when a trace h to occta- The agems use occumubted data abosit the network 
connections and system processes to trace backwards toward the attacker 

|Jang 2000| includes monhoring functions on a boot system. If an attacker uses the host 
system to break into another system and acquires administrator prtvilcgea, the host 
system swieplhiously sends modiricd versions of key programs to the other system, 
modifying the other system to also monitor the attacker. Tracing information ab^ the 
attacker b thus Itiinsmitlcd forward to some of the other hosts on the attack path. 

A honlKr and more controven'ial technique b to break into a host machine or series of 
host machines (termed 1^ some a ‘hack back”), uaually going backwards toward the 
attacker. [Suniford-Oien 1995b) reports that the U,S. Air Force has used this approach, 
calling it "Caller ID,” to track down and arrest on intruder. Caller ID it based on the 
belief thal if an attacker goes through intcrmedislc systems to make an attack, there b a 
high probabilit) that the intermediate systems have known vulnerabilities (including the 
vuincrabilH} dial the biuudcr used). The defender, knowing the same attack methods at 
the attacker does, can simply reverse the attack chain. If the attacker goes through Hosta. 
Hotli, Host:. — Hosi„ (whm Host, b the system actually being attacked), the defender 
can break into HotUi, um that system state to find the next connection back, then break 
into HosW] and to on back toward the otuckcr. jJayawal 2002) discusses some of the 
technological and legal issues related to "hack back”. 

An advantage of inserting host monitoring funcliont it that H can provide valuable 
information on the host's state. However, a disadvantage U thal any attempt to uikiI a 
host monitoring function may be noticed and>'or countered by the attacker. It b often best 


23 



44 


if the (ttacker «xwkl not notice the additional monitors when they are insetted, but it can 
be a challenging task to add monhort without revealing them to a capable attacker 

The "hack back" approach has many additional disadvantages. Fundamentally this 
involves a number of complex legal issues. (Sianifocd-Chcn I995b| reports that 
performing this activity required special permission from the Depoitmcnt of Justice It is 
an extreme measure with many social issues, such at privacy concerns. This it especially 
true if the counter-attack is performed by anyone other than the host owner or au^rucd 
administrator. There is also the possibility that an inlcrmcdiate system cannot be broken 
into (perhaps the attacker used on attack not known to the defender, or the attacker 
improved the security of the systems they broke into). There is also the danger of 
accidentally damagnq; intermediate systems. If hack back is irnplernemed manually, liie 
attacker may be gone long before the attribution can succeed If hack back is automaied, 
there is the danger of going awry (cither by programming error or by malicious 
misleading data providod by an attacker). In short, hack back is an approach with a large 
number of imporlaitt disadvantages |Stanlfotd-Cben 1995b]. 

2,8 Match Streanu (via Headers, Content, and/or Timing) 

Instead of trying to trace through every router and host in a network, it may be possible to 
observe the set of streams entering and exiling some network or system and determine, 
externally, which input streams match which output streams. This technique is often 
referred to as "stream matching.’' 

Figure 3 illintrelcs thb technique In this example, iJiere are a number of data flows (A 
through F) that enter or leave through i few ipcciric links or pons of a netwxrrk or host. 
The goal is to use exiemally-visible information about those flows to determine which 
incoming flows match which outgoing flows. In this example, flow A enters the network 
or host and re-emerges as flow E; flow D enters and re-cmerges as flow F. Not all flows 
need match; flow B enters but does not leave, while flow C originates from the host or 
network (and has no corresponding entering flow). 



Figure S. Stream Matching 


24 






45 


Stream nuiehUig techniques can be further divided talo techniques that examine message 
headers, message content, and message timing. Comhinalktnt of all three apfeoaches are 
possiMc as well 

2.8.1 Stream Matching using Message Headers 

In thn approach, the headers of messages entering and exiting a netwoii or host arc 
examined to determine which incoming streams match which outgoing attcami. and thus 
delcrmine the source of a stream being examined. 

[Yoda 2000) uses time stamps and headers of the packets, in particular the hscieasc in 
sequence codes, to determine if one How "matches" another flow. This approach is more 
effective if the intruder b manually inputting commaisds hy hand (instead of transfetTing 
large filet) (Yoda 2000| Only detenbes how to use the approach to match telnet at 
rksgin (losvs. The TCP sequence numbers are determined by dau content length, so 
Yoda's approach could be considered to involve examining message content as well. 
Yoda's approach will not work if compression of the data stream occtirs differently on 
each part of the chain, nor will h svotk welt If link encryption b used (because the TCP 
headers will be encrypted). 

2.8.2 Stream Matching using Data Content 

In this approach, input and output daU content of streams arc examined to see if they 
mauh. Note that this approach will usually foil if the stream b encrypted "inside" the 
network/hosl. since the data content will be encrypted into a different value. 

(Stoniford-Chen 1995a. 1995b] developed a ieclmii|ue called "ihumbpriniing" that 
divides the stream data into discrete time iiHervals, creates digests of the packets within 
the iiMoval, and computes the similarity of stream digests to determine if one slrctm 
matches another. (Buchhohz) rctmplcmented the approach and commenu on h. Initial 
results appeared very prombing 

IMansfield 2000) discusses characterizing imrusion attempts by first ideiuifying same 
specific noise or other indications of the atlcmpl. These characterizations might include 
TCT-RESET packets. ICMP eeho-rcspoiiac, or destination'port unreachable pockets. The 
observed traffic ptllcm b then match^ with traffic patterns collecled from iIk connected 
network links. The communication between the various managers and agents b carried 
out using the sumdard SNMP management protocol. It could be argued that these arc 
forward-deployed IDSs. but the approach emphasizes matching a particular stream of 
actions to an attack closer to the defender, Bos^ the definKions used in ihb paper, this b 
considered a stream matching approach. 

2.8J Stream Matching using Timing 

In this approach, tuning b used to match streams, by determining if the timing of the 
streams suggests a causal reiatioit. 


85 



(Zhang 2000) dbcusies one approach (identifying times whete there is a transition to and 
IhMn an idle slate), as well as comparing h to some content-based approaches. Zhang 
also noted that inlemwdiaie bans are widely used for a number of Icghimate puiposcs. so 
using a naVvc rule tike "any match is an inirusion'* would resuh in a massive number of 
false positives. 

(Obta 2000) uses distributed sensors lo capture error messages such as ICMP's 
'destination unreachable'' as a way to detect network scans. The sensors then use timing 
correlations to determine the source network. Thus, thu approach combined forward- 
deployed IDS sensors wHh matching by timing 

(Lee 2<X)2| mentions that researchers in Purdue are looking at this approach. In tome 
approaches, a stream's timing couid be imentionBlIy perairbed (e.g.. intentionally 
inserting delays on a particular stream) lo see if it hat an effect: If there is a change, this 
increases the conridcncc of a match. (Staniford 2000) alto notes the approach of 
matching timing, using a variety of signal analysis techniques. [Wang 2002) also 
discusses the approach. 

Matching streams using timing can help idemi^^ stepping stooev but it is less effective 
for zombies. This is because a zombie's response can occur long after its command 

2JS.4 .\dvantngi*a & Diaadvantagea 

An advantage of stream matching is that h can aid attributioo without requiring 
knowledge of the internal state of a host or network. However, actually matching streams 
is a difficult challenge. In particular, the technique tends lo have difficulties with 
encryption and zombies because they hide the infonnalion used to match streams. 

2.9 Exploil/Forcc Attacker Self-ldentincalion 

In some cases h Is possible lo use information the attacker sends (intentionally or not) to 
identify the attacker, or force the attacker to unintentionally identify' themselves. This is a 
broad technique, with a numbn of specialized approaches. Some of the approaches to 
implementing this technique employ: 

1. Data intentionally included by the attacker. For example, spam messages 
often include informatioa on how to buy a product. Instrod of trying lo track 
down the system used by the spammer, h may be simpler to find the spammer 
(or whoever paid the spammer) by using the infonnalion for buying the 
product. 

2. Self-Identifying protocols. Meny prolocob and file formats include 
identification marks of sotnc kind, such as the "Windows ID' (Rieciuti 1999) 
or CPU ID (Miles 1999). 

3. Beacons For purposes of this paper, a "beacon" is a tool, inserted by a 
defender into an attacker's enviro n ment, that causa the attacker lo 



unintentionally idcniily thenuelvo when the itucker performs some action. 
The action b not necessarily an attack; the action simply needs to be an action 
that the attacker wmiM perfonn. One example of a bea^ Is a “web bug.” In 
a web bug, an HTML page includes a remotely-referenced Uanscluded‘ value 
such as an invisible image (typically a transparent Ixl pixel image). If the 
attacker views the HTML page using a typical browser, the browser will 
automatically attempt to download the remotely-referenced value. The victim 
con then attempt to attribute any attempt to reference the transcluded image 
(Smith. WbeelCT 2002]. Note that these techniques requite that the attacker 
acquire the dato/bcacon and a triggering technique. 

4. Cookies. Many protocols send mformation to a clKia, and expect the client to 
return that information later. For exanqslc, the IffTP protocol used by the 
World Wide Web iiKludcs support for “web cookies." In some cases, it may 
be possible for a victim to send a web cookie out to the attacker, causing the 
attacker to imintentionally identify themselves later. Many organizations have 
expressed concent over web cookies (Junkbusteis 2002] (EPIC 2002]. 

5. LoJackfr-like tools It msy be possible to inchide. or insert, a program that 
con respond to later queries. This con be efTeclive, for example, when trying 
to idettlify attackers using a stolen laptop; h may be possi^ to embed on 
Idenufying message that the laptop sends (possibly triggered by some other 
action) that would enable a victim to track down the location of the attacker 
A widely-published example of this approach involves R.D. Bridges, who 
tracked down his sister's stolen IMac using the remote access software 
Timbuktu JCohcn 2002). 

6. Watermarking. In this approach, an attacker receives data that, while not 
active, enables later identification that the attacker truly b the attacker because 
that data b unique in some way. For example, (iohnson 1999) provides an 
introduction to rocoverirq) watermarks from images. 

An advantage of this technique b that when H works, it can directly reveal the attacker 
regardless of the number of layers and indirect systems the attacker uses to foil 
attribution. However, many of these techniques depend on highly technical and 
specialized approaches that are often easy to foil once an attacker knows about them. 

2.10 Observe Honeypot/honeynet 

Honcypols and honcynets arc systems that appear to be normal systems, but in fact arc 
never used by the defender for normal purposes. Thus, any use of the honeypot or 


* Tra w e t usi n n U llw act af quotlna anotifriloc unun i cw Bw nciwixt. abKMt havaia IP aesaaPy copy miiaait 
Ik* c c ou a l Wah tmdHsiMi. an aOhar can quusc enpui kxiicc iTi*ieri*l oa die web, from be servo on 
which a Rsides. The term onainalet horn Ted hicbm's Xanadu pioyect. one of be picctirMrs lo die Wuald 
WideWeb Ahn*fdiresewoaiteniii iw h M ioo»il hnii..‘wwwihBiti«icineMWdibxl906inwhniil 



48 


honcynci is b> dcfintlion use by an attacker. Although definitions vary, for purposes of 
this paper a hoitcypot is a single system, while a honcynet is network of honeypols. Note 
that the Honeynet project defines the term “honcynet'’ more narrowly: in their defiiutkin. 
a honeyiKt must use “real" (not simulated) systems and must only be used for observing 
(not reacting to) attackers. Early expeneiKc with honeyncts can be found in [Stoll 1990, 
Chcswick I992|. More recent experience from the honcynet project can found in 
(Honeynet 2003). 

for purposes of this paper, a honcysystem is either a honeypot or a honeynet. 
Honcysystems often pcHorm simulated activities (to make them look like a normal 
system) and are specially monitored to observe attacker actions. Honeysystems arc 
typically used for intrusion detection. 

In the context of attribution, boncysystems can reveal attack paths in ways uncxpcctcsl by 
an attacker In particular, a honcysystem can be used to immediately reveal the presence 
of a zombie if the zombie u plwed in the honeysystem. An ottadicr would expect a 
zombie to delay Kt attack, but the mere presence of the zombie can reveal the onacker. 
Honeysystems are typically specially insirumetned and monilorod. and these additional 
monitors can be used to diiectly identify attack paths for attribution 

A significant advaruage of honeysystems it that they can aid in countering zombies, os 
well at speed tracing backwards in any uaceback process (due to their instrumentation). 
However, to work well, honeysystems mutt be monitored and their results analyzed, 
which often reipiircs tignificaiu cxpeitisc. Also, honeysystems only work for attribution 
if the attacker chooses an attack path through a honeysystem. 

2.11 Employ Forward-deployed Intrusion Detection Systems (IDSs) 

In this apixtwch. intrusion detection systems (IDSs) arc piaced at close as possible to 
potential entry points of attackers. Typically, IDSs are deployed In a defender's location, 
to maximize detection of an attack. In contrast, a “forwaidHleploycir IDS is placed 
further away from the defended system and closer to the attacker, to maximize attributbn 
inrormation. This paper uses the tem “forwardnleployed" as an analogy to a military 
deployment; forward-deployed units air the units intentionally placed clo^ U> an enemy. 

Due In the location of their sensors, when forward-deployed IDSs trigger they provide 
much better infonnation on the attacker's location than if on attack had to be ttac^ hack 
starting from the victim. In some cases, such systems can also implement automated 
responses (such as reducing bandwidth or disconnecting the netwoik) Obviously, this 
technique only works if the IDS system can actually detect when an attacker performs a 
moliciout actum Note that these IDS systems, as with any other IDS deployment, may 
be based on detecting speciftc attack patlems. detecting anomalous behavior, or both. 
For a survey and taxonomy of IDSs, see ( Axcisson 2000). 

Some attacks or attack patterns (e-g., SYN without ACK. a targe number of multiple 
requests without responses in a requeu-iesponsc protocol) con be prc-poshioncd, and 
uiggertd when they occur. Some tools ore speciftcally designed to detect patterns of 





49 


known DDoS Mtackv which hcipt in the case of • known DDoS loob luch toob inchide 
David Bnanicy's Renwlc.lMnii>>on.Dcuclor(R10). the Nalional InfraMnicturc Protection 
Center'* TWNOOTribnl Flood Net^fnZk detection tool. BindView’s Zombie Za|i|ier, 
and Romenrind [Dittrich]. 

Mo/u Neewocis of Cambridge, MA tnaket hardware device* that It claims are able to 
detect and thwort'DDoS aiuicks\ Mazu claims that their etiuipment performs a fine- 
grained triflic analysb (at gigabit network speeds on OC-12 links) and creates a 
(Utistical model of "normal'' trafTic. It then uses this model to detect anomalous traffic 
that suggests the prcsetKC of a DDoS attack Reactive Networks "FloodGuanT and Arbor 
network's Peakflow DoS pnoduct appev to work on similar principles, by attempting to 
detect ononudous behavior upstream. 

I Arkin 2(XC| describes multiple approaches for onributimi (the first approach, logging all 
public network traffic, b discussed in section 2.1.1). [Atkin 2002}'* second approach it 
in essence a set of forward-deployed lOSs; Arkin hat the notion of a global ly-deployed 
set of IDSs, which look for known exploit allempU and'or anomalies to quickly identify 
attackers before their distribulod attacks make it more difficult to identify the attacker. 

(Templeton 2<X>J) descrihes various techniques for delecting spoofed packets. For 
exanple, a lime-to-live (TTL) value different from past values for a source to a 
destination may suggest a spoofed packet. Detecting spoofed messages can be 
particularly valuable for attribution. 

Forward-deployed IDSs have far greater capability if the attack potterris being delected 
con be updated frequently and rapidly. However, this imposes complicalions. As with 
many other attribution techniques, the systems supporting the attribulion must be 
protected. A forward-deployed IDS system lends to Ire more vulnerable to an attacker 
than many other tools due to its location. As a result, a forward-deployed IDS might be 
disabled, remotely controlled (lo respond with forged infomvaiioo). or have iu patlems 
revealed Since an attacker may be able to control the IDS, there may be good reasons 
for not revealing all known imnisioo pattems in a forward-deployed IDS, because thb 
would enable an attacker to know exactly what attacks will not be detected. Reducing the 
number of attacks detected by an IDS reduces the IDS' effectiveness. 

If the IDS tool can update iU poltcnu rapidly, it rapidly also becomes an “input 
debugging" tool. IkTicn used this way. the It^ con deica pre-identifled attack patterns, 
aivd if a new pattern becomes known, b can be used to detect the nesl occurrence. 
However, unlike input debugging, forward-deployed IDS systems can detect the initial 
occurrence of an attack and do not require multiple messages to begin attribution. 

An advantage of this approach if that the IDS tool. If deployed sufTiciently close lo the 
attacker, can immcdialely detect ollackt H is configur^ lo detect, without the log 


Ttctwiica) intonniUiin about Maiu Netwocki mi obtained tram ihcu web sne: 
hilB:''www.in aiiMi«tworti .t4iBi ioliaioni.bliiil and hitp '-www ni.ninni.CTVi r«iii.1ie.w<iw<Mii biml 



50 


crvcrhead required by log & quay systore- Hoviever. there ate disadvantages os well 
This approach sufleni front the problems of all IDSs: they are prone to a large number of 
false positives and/or false negatives, requiring cottstatu surveillance. .\s a practical 
matter, the nsatty false positives artd false negatives mean that the alerts must be 
forwarded for logging aial later analysis, greatly weakening the potential for rapid 
response in many circumstances and requiring specialized labor. Abo this technique can 
be difTicult to widely deploy without other information about an attacker (e,g., where they 
arc likely to atuck from) and is most elTcctive when pbeed close to an attacker (which is 
dinkull for esienul attackers). 

2.12 Herform Filteriiag (e.g.. Network Ingress Filtering) 

Another technique to aid attribution is to filter messages so that certain links only permit 
messages to pass if they meet certain criteria that ease attribinian. A receiver of a 
message that does not meet the criteria can then be assured that either the filtering was 
not successfully implemented (e,g, the attacker broke the filtering mechanism! or that the 
filtered link was not used. 

A simple example would be a set of MTAs that reject email messages not signed by 
certain trusted senders. Another example would be modifying a network's archilectuc to 
remove links that stymie attribution and limitirtg what con pass over the remaining links. 

The "Tjerform filtering" technique can be specifically focused on supporting attribution 
by devising a network so that any message entering the network must have data that 
correctly identifies where it entered the network. This porticulor application of the 
technique, when applied at the IP picket level, b called the “network ingress filtering” 
approach t)uc to its many advantages, the network ingress (lllering approach is 
particularly emphasized in this section. 

2.12.1 Network Ingress Filtering Definition 

Network ingress filtering b an approach that restricts network tralllc by requiring that all 
messages entering a network have a valid "source" value for that network entiy point. 
Ideally, the valid values for different entry points should be non-overbpping so that any 
entering message uniquely identifies its entry poim. Dverlapf create ambiguity) but even 
in the presence of overbp this approach can be useful since the approaeh wvnild reduce 
the number of possible entry points. Network ingress filtering for IP b defined in dcuU 
in IETF RFC 2827 (IETF 2827). The ability to implement thb kind of capability b 
lecoouncnded in the earlier IETF RFC 1812 (IETF 1812, 96). Documenu such as 
(SANS 2(l00b] describe how to implement network ingress filtering in more detail. 

The network ingress filtering approach oould be applied to prolocob other than IP. For 
example, mail transfer agents (MTAs) could refuse to transfer email cbhning to come 
from an invalid location (eg., a “From;" or “Received;" entry inconsistent with the 
sender's IP address). However, since most experience with network ingress filtering has 
been with IP. the following text will conccnitale on its use in IP. 


30 



51 


2.12.2 Network IngreBs Fillcrins Implententation 

Implementing netwewit ingmts nitcring of IP pockeu only requires simple picket 
niicring, « opnbiliiy buih into most of today's routers and a fundamenUl capability 
included in any firewall. Thui, implementation primarily involves reconfiguring the 
existing routers (or in rare cases, inserting riretsalls) that connect other netwoeks lo the 
network being protected. In short, all conneciiona lo other networks must ensure that the 
source informaiion is valid for the given cormcclion. 

Figure 4 shows a sample network ingress filtering conriguralion. In this example, the 
filtered network hat connections to an external network through multiple gateways, as 
well as connections to many internal networks through major routers. All of those routers 
(El. E2. E3, GW I , and GW2) arc configured so that a packet's source address must be in 
a valid range lo pass through those routers. Thus, in this figure, the attacker connected 
through router Ell wfto is anacking victim I must reveal that they are located in network 
El. given certain caveats ducussed below. 



Fifurn 4. Nfitwork Ingms PUlerifig 

For a typical wide area (WAN) that connects to both the “outside" and to 

“intema'r networks, two kinds of configurations are necessary to change an unfiltered 
WAN imo a filtcied WAN: 

1 , Rennets connecting to the outside must forbid messages that try to enter the 
filltred nelwxsrk from the ouuide, yet claim lo come from the inside. This is a 
generally accepted practice, as doing otherwise can permit many security 
probkms, and is the fundamcnul rule implemented by even trivial firewalls. 

2. Roulcra connecting lo “iiucmar nclwsirks mutt forbid messages that try lo 
enur the filtered nctvwitk from the internal network, yet claim lo come from 
utmewhctc other than that specific ImcnMl network. For example, if an 
internal network is allocated the IP address range 204.69.207,x (more 


31 


fomulty, 3M.69J!07.(V24), the router to die WAN must filter (remove) any 
packet comins from that nctwoil that did not use the altocalcd 204.69^07 
prefix 

A apecific example of auch a WAN b the DoD NIPRNet. wdiich currently has 21 
gateways (crpiivalcnt to GWe in Figure 4) and approximately 1,500 ‘iirat-tier 
conncctiam" (equivalent to the major routers Ex in Figure 4). Consequently, diming the 
NIPRNet into a filleted network would require a minor reconfiguration of approximately 
1421 roulcrx. Such reconfiguration b non-trivial, but these routen’ configurations must 
be maintained anyway, and this reconfiguration can occur over lime. 

Network ingress filtering can he implemented on multiple connected networks (such as a 
larger WAN. all of the WANs below h, and some highly sensitive LANs below them). As 
more networks ate filtered, netviork ingress filtering provides more and more precise 
attribution information 

The filtering rules only need to be sufficiently precise to identify the point of ingress irao 
that particular filtered netwxKk. If a router comectbig to an inlemal network supports a 
large number of valid prefixes, il does not need separate roles for each, merely a larger 
range that includes the valid prefixes and does not also itKlude a range allowed by a 
different router Requiring routen to have simpb and non-overlapping IP address ranges 
b already a highly' desirable property in TCP/IP network design, because allowing 
arbitrary prefixes leads to huge routing tables that can complkale administnlKm and 
impose significam networking overhead. Thus, for most routers, the roles to support 
network mgress filtering can be fairly aimple, with a few exceptions for specbl cases 
(such os nciwoiks that have moved from one region to another yei kepi their old IP 
addresses). 

If a given address can legilimalely enter a network through multiple entry poind, all of 
those entry points must petmit H. Thb weakens the value of network ingress filtering for 
those addresses. This is the case, for exampir, when supporting some deployments of 
Mobile IP if the source IP address can legilimalely move between entry poind of the 
fillered network. However, even when weakened, network ingress filtering can still be 
useful for attributioii. In such cases, tlic source address information b ambiguous, but it 
still reduces the number of possible entries to a small set (this infonnilion can be 
combined with other uifotmation to perform more dediled informalian). 

Network ingress filtering requires that all (or nearly all) entry poind of the filtered 
netwuil implcmcnl fihcring. There b the danger that fillers will not be correctly 
configured or will be incorrectly configured later. One solution b U> use automated test 
programs that attempt to send spoofed information, and then report a problem if they 
succeed Such automated test programs are easy to create. The ORNL spoof testing 
service (at hitni Vww w.cMn.oml.yov. -duniuaiv'oci'seoof.himl) is intended to become such 
a service, as is ICSA's NctUbnus t httn.'/www.icsa.net ). 

There arc other names for network ingress filtering, namely "egress filtering" and 
"reverse firrwalling." These alternate names arc because of the way network 



Ingres* nilcring it often implemenled In man) cmses network ingret* filiertng is 
impictnenied on t larger network that tmtller local networks conneet to. From the point 
of view- of these local networks, this approach (ilien the message* leaving (egressingl the 
local network Since network ingress filtering is often implemenled using firewalls, but 
with roles preventing tome messages from leaving the network instead of entering the 
network, the term reverse fircwalling it also used. However, when the network ingress 
filtering approach is used on other network arehilecturcs these term* can tpikfcl) become 
misleading Thus, the IETF refers to ihete filicri as “htgress" filters, because icgaidlcss 
of the network architecture, network ingress filtering always filters messages entering the 
filtered network. This paper follows the lETF's naming convention as defined in (IETF 
M27| 


2.I2J Network Ingress Filtering for Attribution 

Network tngtess filtering aids attrihution, because it fortes an attacker to reveal (in most 
cases) information about their network location 

More specifically, when attacked, a vklim knows one of the following is tnie: 

t, Nclsvork ingress filtering has not been implememed properly. There arc 
simple tests that can be used to automatically determine if filtering has been 
implemenlod properly. 

2. A filter (e.g.. major router) and'or other networking component inside the 
network has had a lecurity breach and consequently no longer filters correctly 
In some cases testing can find this, but simple testing may not detect subtle 
breaches There are ways to reduce this risk, such as using multiple fillers in 
scqiKncc, router monitors, and hardened routers. In addition, passive router 
monium (implemenled so that they cannot transmit back onto the network) 
can examine router inputs and outputs to detect possible leaks. 

J. The attacker's location is to “close" lo the victim ihal the attacker never 
passed through a filler. For example, tee the case where the attacker attacks 
Vklim 2 in Figure 4. In this case, the set of possible locations it obvioutty 
fairly small, tignificamly aiding anribution 

4. The message header's source informaliun gives mformation on the location of 
the attacker If the attack came from ibe outside, it will have an outside 
address, if it came from the inside. It will have an inside address identifying 
which inside location it came from, in the nmge forced by the filtofs) 
Usually, dlls will be a single entry point bito a network, ihov^ if the filters 
have bm weakened (c.g., lo support some uses of Mobile IP), this may be a 
set of possible entry points. 

Again, as multiple 10*011 of network ingress nhering arc added, the message header's 
source value will give increasingly precise infarmatkm on the attack's network location. 



54 


2.12.4 Network Ingress Filtering Advantages 

There ire i number of sdvinuiges to network ingress iillcnng For attiibution: 

1. It is relatively easily implemented today si low cost with existing 
infrastnicture. Implementation leriuircs policies, conrigunilion of existing 
nilers (routers and llrtwails) by netv^ administrators, upgrades of 
componetHs in rare cases, and simple occasional tests to csuurc that the 
(illering is in operation. Ilierc is little to buy. existing personnel and products 
can be used to implement H. and since H is a relatively simple connguration. 
training costs are not expected to be high. This does not mean that it is trivial; 
any policy change requires coordination, and reconfiguring ail routers on any 
maior network is not trivial. However, it is less expertsive than many other 
approaches, since many other approaches requite deploying a large number of 
new hardware and'or software compooenls as well as training pctsormcl to 
ieam new skills. 

2. It can be deployed incrcntenully, with incremental improvements in 
attribution This can be viewed in two ways; 

a. The routers on a given filtered network can have their rules modified in 
suges. instead of trying to modify all routers at once. Although the 
bcrKfits of ingress filtering are primarily obvious when all (or nearly all) 
routers of a network do the filtering, even implementing the approach on a 
subset of routers can aid attribution by reducing the number of possible 
paths that must be uaced back. Adding the rules incrementally can also 
aid in identify ing the cause of any uninicniional problem. 

b. Network ingress filtering can be beneficially imptcmcnicd on a single 
major backbone and provide a benefit, and later deployed on additional 
networks to provide increasingly more precise attribution. This properly - 
of not tequiring all networks to be changed simultaneously - also 
simplifies deployment 

3. ImplemcniBtion of network ingress filtering can be made a requirement for 
conncctioii to certain oelwotks. Thus, once a netwoik ingress filtering regime 
is set up, it should be easy to maintain. 

4. Network ingtets fihering supports attribution without requiring message logs 
of unrelated messages or additional network bandwidth. Logging systems 
have complications due to die difficulties of acquiring data at speed, storing 
logs, and retrieving the correct data later. Techniques that send new messages 
or extend mesrages lake additional network bandwidth. The llltcring 
technique (including specifically the network Ingress filtering ippcoochl 
requires neither. 





55 


5. N'crworfc ingreu rillering it gctienlly inuupamn to usm. Since the liliering 
lutc* limply enforce what luen "thould" do, ufcn ue genemlly unaware of 
the filtering; tools simply work as usual. 

6. There arc no known legal impediments. Since the filtering niles simply 
prevent fniging of source addresses, there are no kitown laws that forbid 
deploymem In cetuin cases some slate laws even forbid forging "from'' 
infotmalion (e.g., some state anti-spam laws). 

2,12.5 Network Ingress FilCcring Disndvantages 

Of course, network ingress filtering is not perfect. There are a number of disadvantages 
to network ingress filtering when used for attribution; 

1. Network ingress filtering must be implemented by nearly every entry point 
into a given filtered network to be efTective. If some entry points do not 
implement the rules, then any nllack message may have alto bm sent through 
■hose Cfiity points. If there arc more than a few entry points that do not 
implemetH the filtering rules, the value of network ingress filtering for 
allribution goes down rapidly (unless supported by other techniques). 

2. Networks that must support multiple entiy palhs, such as some uses of Mobile 
IP and permanently enabled backup routes, supply weaker altribution 
infomialkin for Ibote messages. In the worse case, it can somewhat interfere 
with fault tolerance, since the rules could forbid alternative routes that might 
be desirable. This is actually a variation of the first point: if the fihering rules 
must allow multiple entry paths, then a given message may have taken any of 
Ihooc ento paths, making the message harder to attribute. 

3. Network ingress liliering h primarily useful for intcmal network allribution 
and to determine if an attack came from the "outside.’' Since generally only 
"inlemar networks can be required In implemerd netwurk ingress filtering 
rules, the approach is only useful for those networks. Thus, in the shorter 
Icrm, this approach is probably more useful for organualions that ore 
concerned about threats from within networks they control. 

In tbc longer term, this approach could be applied to countries or even 
imemalionally to give more allribution information. For example. U.S. law 
could be modified to require network ingress filtering on U.S. Inicmci Service 
Providers flSPs). In that case, network ingress filtering could aid altribution 
of a (probably inlcrmcdiale) system inside the U,S. and identify messages that 
originated from outside the II.S. as well. Note, however, that it would not 
reliably identify the network for messages originating from outside the U.S., 
because attackers could send messages through interconnected non-U-S. 
nclwurks- Thus, attackers would quickly move to use at least some 
inicmiediarics outside U,S. jurisdiction. 


36 



56 


WorldwMle rintcnutional) implaneiUalion i> technically possible, but this is 
probably impractical - the amount of worldwide cooperation required is 
simply too great Also, worldwide implefnenlalion would aid againsl 
indepoident attackers, but not against natioo-stales. For both the U.S. and 
worldwide scenarios, the number of systems that would need to be configured 
would be extremely large, and if any were compromised, bogus information 
could be sent Indeed, if the approach were introduced countrywide or 
worldwide, there would be many places where messages could be 
surreptitiously iiueilcd. This would not eliminate the value of the filtering, 
but it would reduce its value. 

4. Network ingress Filtering only identilies the attacker network or range of 
iKlwotks; it does not (necessarily) identify an individual host. Thus, the 
approach does not climinau; all spooFmg: It simply reduces the range of 
spoofed values. As a result, it must be combined with other techniques once 
the network or range of networks has been identified. 

5. As with many other techniques listed here, network ingress Filtering by hselF it 
can only attribute a stepping stone. This approach cannot, by itself, identiFy 
the source behind the stepping stone. Treeing backwards through stepping 
stones requites other techniques 

6. Network ingress filtering is problematic to nahely implement in some nnv-IP 
protocols Network ingress Filtering b a general approach, but most of the 
literature examines it only From the viewpoint of filtering IP packets. It can be 
more ptoblematic to re-implement the same ideas at the level of siore-and- 
forwa^ network protocols such as email, shscc email's whole psirpose b to 
pass on messages originally sem by others. Thus, If the same technique were 
directly applied without modilicalion to email prolocob instead of the IP 
layer, il could interfere with mail forwarding and other useful capabilKies. 
Thu docs not mean the approach could not be used in such protocols: vtriosu 
wrapping loehniqucs or uuge limitations could still enable use of the 
approach in other protocols Note Ihit this has nothing to do with network 
ingress Filtering when applied to IP; email passes through IP-level netwxrrk 
ingress Filtering without problems on a correctly configured IP network. 

7. Network ingrets filtering imposes some administrative overhead, especially to 
initially deploy as well as to maintain. 

t. Network ingress Filtering imposes a performance cost, because every router 
Implementing the Fillers must check new rules For every message. The 
perFormance cost depends on the complexity of the rules. Tlie rules must be 
sufllcsetu to uniquely identify a router. Since Ihb b also a highly desirable 
properly in TCPTP network design (to simplify routing tables), the 
performance impact will be small in many TCP/tP networks. In many cases, 
network ingress Filtering can be implemcnud using one or two rules that can 
be checked without noticeable degradation of router or network performance. 


36 



57 


However, this will not be true for <11 nctworis. The approoch may have a 
pankulariy lu]te performance and administrative overhead on routers that 
tuppon a very latjp: number of different noncontiguous address ranges. 

In particular, routers that ate very close to their nuuittunn load may need to be 
upgraded due to the additional overhead 


2.12.6 Filtering .-Vdyantages and Disadvantages 

Many of advantages and disadvantages of the network ingress filtering approach also 
apply to any other approach irtgilemetaing the filtering technique. 

Advantages of the "perform filtering" technique include: it is often easily implemented 
with existing infrastructure, it does not require maintaining logs, h is usually transparent 
to users, and there are rarely legal impediments. Disadvanlages include tlw fact that it 
must be implemented at nearly every relevant entry point. H can often only identify that a 
message came from "outside" the suite of fihen (instead of its exact source), it often only 
identifies a range of sources (not the specific source), it can be difficult to employ on 
some protocols, it inqxises administrative overhead to install and maintain the filters, and 
it impoaet performance costs to execute the filters. 

2.13 Implement Spoof Prevention 

Protocolt and'or their implementations can be modified, configured, or replaced to limit 
spoofing, simplifying attribution. Note Ibat this technique b different from filtering 
techniques. Filtering techniques, such as the network ingress filtering approach, limit the 
source address value used in the data sent through the network, and ore imposed near the 
sender's location or in the intermediate network In contrast, protocol spoof prcvenlion 
verifies that there b a valid connection back to the sender, and b imposed near or by the 
receiver's tocation. 

In some cases, systems can be reconfigured to make spoofing more difficult: 

I. Insecure protocols that are easily spoofed can be modified, reconfigured, or 
replaced to use differcM. mote secure protocols that perform the same 
function. For example; 

a. The old mp protocol can he replaced with the ssh protocol extensions to 
support file copying 

b. UDP packets are cosy to spoof on an internet, but TCP packets sre more 
dllficult to spoof. This b bccauM TCP requites on Initial two-way 
cxchsiigt of sespunce numhers Thus, protocols which can use cither 
UDP or TCP can be configured to use only TCP, making spoofing more 
difficult 


ST 



2. Eatily-spoofed prolacoU can be tunneled iniide other piDlocols that rain 
spoofing. For example, an organization could implement a Vinual Private 
Netvmrfc (VPN) using IPSEC, and then require all communication to go 
through the VPN. 

Implementations of protocols with ami-spoof capsbililks can be hardened so 
they arc difTicuh to expioiL For example, on many systems. TCP sequence 
numbers are easily guessed, making spoofing of them much simpler In 
contrast, some TCP impkmentalioni are designed to make TCP sequence 
numbers much harder to guas. Thus, replacing or upgrading systems to 
eliminate easily-guased TCP sequence numbers can aid attribution by making 
certain kinds of spoofing diflicuh. The problem of easily -guessed TCP 
sequence numbers has been known for years, and recommendations to 
improve this situation are publicly documented (Bcllovin 1996). 
Unfortunately, many widely-deployed systems still have these problems. 
[Zalewski 2001] found that, in 2001. only Linux and a not-yet-deployed 
version of OpcnBSD had diflicuh-lo-guess TCP sequence numbers of the 
many systems rated In contrast, other common systems had "more or less 
serious flaws that make short-time TCP sequence number prediction attacks 
possible." Windows 2000 and Wndows NT4 SP6a were considered mildly 
vulnerable to attacks: older versions of Windows were extremely vulnerable, 
u were several widety-used Unix implementations. 

4. Stronger authentication approacha and practica could peevent attackers from 
spoofing that they are (other) legitiiruue users. Some protocols have optional 
authentication approodia that, if enabled, can make spoofing far more 
dilTIcult. Eliminating cleanext. default, or easily guased authentication 
passwords would make it more diflkull for an attacker to forge or hide an 
identity 

Carefully designed protocols can simultaneously make spoofmg and successful DOoS 
attacks more difftcull. If a protocol icquira a timc-constaning authentication operation 
when the client makes an initial requat, the system is vulnerable to DDoS attacks. This 
Is because an attacker can simply send large numbers of invalid requesu. overwhelming 
the defender's resoutca. This problem occurs whenever the attacker can crate Invalid 
requests signifiuntly faster than the defender an validate them. There are well-known 
tcchniqua for dating with these issues, such as: 

1. Protocols can at least determine that there is a hl-dircctional path by lint 
requiring that a nonce he exchanged (the TCP protocol doa this). 

2. If the defenkr must track all partially-opened connections, attacken may still 
be able to qukkiy overwhebn storage resourea: this is the basis of the SYN 
attack against TCP implemcnuitions (CERT 1996 ). Icchniqua such as “SYN 
cookia~ con prevent this by requiring that the defender respond with a value 
that requiro linie overhead to validate (Bernstein). 



3. TIk protocol can requite ihat a client ftm lohe a "puzzle.*' A "puzzle" U any 
value which cosu terven little time to verify but coMs the client a iignirrcaru 
amoum of time to ulve. Thus, allacken acting as clieMf can send invalid 
puzzle toluiians - but the server can quickly reject them - o» they can solve 
the puzzles - slowing the DDoS allack. No protocol design can truly prevent 
DDoS attacks, but puzzles can make such attacks more difTicull Puzzles also 
make spoofing somewhat mote diflicuh. os they force the attacker to expose a 
channel that can (at least temporarily) teach them. 

Other approaches can abo make spoonng (at varknis protocol Icveb) mote diflicuh. 
IJung 1993) presents an approach, named "Caller Identification System in the Internet 
Environment" (CISIE), where during the process of logging into a remote host, the 
originating host must present a trace for the user (which the destination then verifies and 
togs). This approach requires that every host support such queries and that the approach 
be implement^ for each protocol. [Buchholz] tried to re-implement CISIE and found 
significant dilTiculiies in doing so. In particular, a way to match outgoing connectiont to 
incoming connectiont is needed: this it possible, but the lack of detail on this problem 
suggests that CISIE has not yet been fully implemented. 

Templeton (2003) describes various techniques for detecting spoofed packets. For 
example, a time-u-live (TTL) value diflerem bom past values for a source to a 
destination may luggcti a spoofed packet This could be combined with protocols that 
attempt to deteimine if the other panietpam b truly the intended participant, or an 
imposter. 

The Deciduous approach [DccmIuoub. Ching 1999, 20(X), undated) requires that IPSEC’s 
Authentication Headers (AH) be used by at least some of die routers in the 
communication path, and uses these hcadets to help identify the source. Their 
implementation requires significant modification for use: application programs must be 
modified and a new operating system kernel call must be added to permit applications to 
identify the security associations attached to the received data. 

An example of thb technique at a higher protocol level than IP would be a policy that 
rejects unsigned and unvalidated email at the recipicnl's final mail iransrer agent (MTA) 
or email reader (thb could also be considered an extreme form of a filler). At this lime, 
such a policy b probably impractical in many situations, but such a policy could be 
required in some situations and might became practical for more users in the future. 

A far more pervasive and controversial approach b "eONA," on approach hriefly 
examined by DARPA in 2002. In this approach, portions of the Inlemcl would be 
designated as "public network hi^iways" which would be designed to forbid anonymity. 
To access these ponions, all network and client resources would be required to maintain 
traces of user infomialion (called cDNA) so the user could be uniquely identified os 
having vbHed a web site, having started a process, or having sent a packet. A user would 
need to enter a digital version of unique personal idemifiers (like a fingerprint or voice), 
which would then be turned into an electronic signature appended to any message. SRI 
was asked to bnefly investigate the concept, and in August 2002, SRI brought together 



60 


trspecied coRipuier lecurily researchen as pan of the invcstigalion. Almost all 
panicipants strongly etitieix^ the concept, on both technical and privacy grouiKts. and 
several believed the approach would not solve the problems it was trying to address In 
the end, DARPA dccid^ to not pursue cDNA funhec fMariofT 2002] [McCullagh 2002] 
IDARPA2002]. 

An advantage of the spoof reduction technique is that it greatly reduces the number of 
intermediate systems that must be examined by other attribution techniques. VilKte 
protocols and/or implemctuations can be easily modified, configured, or replaced to limit 
spoofing, this approach can be very inexpensive as well. 

There are disadvantages as well. In cases where protocols and/or their implementations 
cannot be easily modified, configured, or replaced, this technique can be very expensive 
In some cases, it may be possible to "wrap" the protocol inside some other more secure 
protocol (such as tPSEC), but this it not always true. The technique is generally not 
useful against stepping stones, since stepping stones can correctly implement a protocol 
while hiding the attacker's location and identity. While this technique can simplily 
attribution, it will generally need the aid of other attribution techniques 

2.14 Secure Hoata/Routers 

Attackers oAcn use multiple intermedialc systems to foil attribution. Therefore, 
attribution can be aided by reducing the number of intemiediate systems an attacker can 
employ. 

This can be accomplished through increased security of hosts and routers, including 
removing unnecessary services from each. A robust security patch process should be 
employed to ensure that all vendor security alerts and patch releases are rapidly 
prioritutd. tested, and deployed on all relevant systems by system adminisiralocs. 
Vulnerability scanning (both host-based atvd netwo^-based) should be used to help 
identify any unpaicbed vulnerabilities. Vulnerabilities found should be rapidly fixed 
General Kchniques for hardening systems are widely discussed elsewhere and are not 
further discussed here. 

The approach of securing hosts and roulers is particularly helpful in reducing broadcast 
amplification. (SANS 2000i) recommends the following (among other steps); 

• Network hardware vendors should ensure that roulers can turn olT the 
forwarding of It* directed broadcast packets os described in RFC 2644 and that 
this is the defauh configuration of every router (network system 
administrators need to ensure this is true when the routers are installed) 

• Unless an arganiratiuo Is aware of a legitimate need to support broadcast or 
muhicait iralTk within its cm ironmem. the forwarding of directed broadcasts 
should be turned otT. Even when broadcast applications are legitimate, an 
organization should block certain types of Uafflc sent to ’broadcast* addresses 


40 



61 


(Cf., ICMP Echo Reply) meuago m that iu lynenu cannot be uwd to 
implement Smurf attacks. 

In particular, system and network admlnlstralnrs should turn ofT the “echo" and "chargeo" 
services unless they have a tpecinc need for those services. This is in general good 
advice for all iKtwork services - netwtuk services should be disabled unless there is a 
specific need for them 

An advantage of this approach is that H is needed for securing systems in any case. A 
disadvanuge is that, themselves, these approaches are not enough to support 
anribution; they simply make other attribution processes easier to perform. 

2.15 Surveil Attacker 

If tliere it sufTicienl evidence U) suggest that a particular person or set of persons might be 
an attacker, various surveiilaocc approaches can be used that specifically target those 
suspects. These include examining email messages, keyboard snilTers. electromagnetic 
radiation surveillatKe, and odser such techniques. Even logs of phone numbers « email 
addresses contacted can be valuable. Computer forensics approaches can be used to 
examine the storage devices of suspects* computers. 

Naturally, there are a number of stricl laws controlling the application of these privacy- 
invading techniques, so these arc not techniques that can be requested or applied lightly. 
In a few cases, dtese techniques can be used immediately once a particular attacker or set 
of attackers it suspected. For example, employers arc permitted to perform certain kinds 
of monitoring on employees. Service providers otsd equipment owners are also tlhywed 
to perform certain kinds of monitoring of their own equipment. Employees and 
customers could be required to sign documents specifically permitting monitoring in 
certain cases. In many other cases, these techniques can only be applied after legal 
actions (such as the graming of a w arruu). 

An adv antage of attacker surveillance is that it can often confiiin if a given attacker truly 
did or did not perform an attack, even if the attacker uses sophistkaled techniques to 
avoid atlrihulinn. A serious disadvantage of the technique is that there needs to be some 
reason to suspect the attseker in the first place, as well as an opportunity to perform the 
surveillance. Abo, even under surveillmcc an attacker may manage to perform on 
undetected attack, since surveillance is never perfect 

2.16 Exploit Reverse Flow 

Many prouxols arc bi-directional, including those used by attackers. If data flows hack 
to the attacker or an attacker's intermediary, this flow may be modified or followed to 
support attribution. 

An example of this technique is the approach called "sleepy watermark tracing" (SilTT). 
in this approach, when the defctxin wishes to attribute an attack the defender injects a 
watermark into the reverse (return) data flow A watermark b simply dau that wo^d not 


41 



62 


noniKlIy be detected by «n aoaclccr For euunple, in the telnet and riogin proiocoli, i 
defender reluming the string- 

"See ncotKibtbib tb* 

would look the sunc to on ittocker as a defender who returned the siring: 

“See me” 

In SWT. iKtworfc server applications (such as telnetd and rtogind) on the defender's host 
system ate modified to be "watermark-enabled,'' so that on command they can insert 
these wateimarks. S\k'T guardian gateways are then used to detect and report the 
pretence of these watermarks. SthT is d^ribed in (Wang 2001a]. S%T response 
options ate further described in [Wang 200 lb]. 

One advantage of the technique is that It can attribute immediately through a large 
number of stepping stones, if the data is not traruformed through processes such os 
encryption. However, there arc many disadvantages. Most such implemenlationi (such 
as SWT) require significant chonges to pre-existing implemenlaliont. Detectors of the 
date in the levcrsc flow must be placed in locations that can actually observe the data, 
and there is always the danger of falte positives from the detectors. Also, hosts that 
transform the data (such at encrypting the data) may foil the technique. 

2.17 Combine Techniques 

Since every technique has its strengths and weaknesses, it is probably mote effective to 
combine the various techniques to perform attribution. For example, network sensors 
could be forward deployed closer to where an attacker might attack from. If the network 
sensors include initial mics for known attacks, they would be considered forward- 
deployed IDSs in this grouping. If they also supported rapid run-time requests for new 
pattetns. they could alto suppoit input debugging. Network ingress filtering might be 
useful to reduce the number of possible networks an attacker came from, and then other 
attribution techniques could be used In identify the attacker's location more precisely . 

Also note that differenl protocol layers can provide difTcrenl information that together 
provide better attribution information. Many implementers concentrate on the IP layer, 
since IP b a common layer, attribution approaches based on the IP layer are more general. 
However, combining information from various protocol laycis (such os IP, authentication 
logs, MTA logs, higher-level protocols, and lower level prolocob) can add information 
that examining only one layer will miss. 

In theoey. an adv antage of combining techniques b that it can overcome many of the 
disadvantages of individual techniques. However, currently there b relatively liule 
cxpertence (or available automation) for combining techniques. Also, combining 
techniques cannot overcome the old phnue "gaibage in. garbage out" — if the results of 
l)ie individual techniques ate woilhless, combining them will not help. 


42 



63 


3. Issues in Attribution Techniques 


This section diKusscs some of the issues common to many attribution techniques. 


3.1 Prepositioning of Tools and Trust is Critical 

Many attribution techniques cannot be applied to on attack unless the attribution 
implemenutions and trust relationships have been prepositkined. This is particularly 
obvious with logging systems; it Is impossible to query a lug unless the logging system 
has already been deployed. However, this is true for many other techniques, such os 
network ingress nilering. 

Even if the technology docs not need to be prepositioned, trust relationships need to be 
preposilioned for attacks to be attributed in a timely manner. For example, input 
debugging for a single attack using a simple pattern docs not lake much time to 
implement technically as long as the routers are iaside a single administrative domain. 
However, rapidly attributing attackers through paths going through external 
administrative domains often requires some son of pre-existing trust relationship between 
the person performing the attribution and the administrators of those external domains. 
The external domain administrators need to know if the request is coming from a 
leghimalc source (with a legitimate reason to know the answer), and the requestor needs 
to know if they are truly communicating with the correct external domain administrators. 
Thus, trust relationships (manual or automated) must be developed so that when requests 
are made they will be honored in a Ihnely way. 

3.2 Prepositioning Tools and Trust in External Networks Is Difficult 

Attacks often originate "outside” of the network being attacked. However, as noted 
above, to be cITcclivc many attribution techniques require some sort of cooperation by 
networks along the path from the attacker to the victim. Gaining such trust, 
unfoitunately. can be very diflkult Even when trust is gained, convincing others to 
implement attribution tools can be a significant challenge. 

3J Networks and Systems Can be Configured to Ease Attribution: 
Changing tbe Terrain 

Networks and systems can be configured to simplify attribution in a variety of ways. 
Network routers and systems can be hardened against attack, spoofabic protocols can be 
eliminated or limit^, cleartext passwords can be eliminated, and broadcast 
amplification/’rencction can be disabled. Attribution can be aided even more directly 


4.3 



64 


through Ifchniquo such u network ingreM flilering. honeypoU, and forwiirdHJcpIoyed 
' tOS systems. 

Wc refer to intcnlionaily reconfiguring s network to case attribution as changing ihr 
Irrraia. In physical warfare, defending militaries spend a great deal of money to modify 
the terrain to impede their enemy and aid Ihermelycs. and have done to throughout 
history (e.g., castles, roads, mines, trenches). In the tame way, a defender con modily 
their computer network astd related netwoils to impede their attacker and aid Uicmselvcs. 

J,4 Attribution is Often Kasier AKainat Insiders 

It somewhat easier to perform altribtiition of inside atuckers or mside intermediaries 
compared to systems outside a defender’s administrative control. This it becauK of the 
factors noted in sections 3.1 through 3J. Since many attribution techniques require 
preposHioning. but prepositioning is diflicult to perf o rm on outside netwoths, many 
techniques can only be fully employed against inside people or systems. Also, since an 
organization can generally only control the network configuration and architecture, a 
defender can generally only change their own network to support attribution in addition, 
organizations can generally monitor their own networks more efTectively and have more 
legal optiom for performing ihii monitoring. 

This is not universally true, and there ore some countervailing forces. Insider personnel 
would tend to know more about an otganization't defenses, and thus might be able to 
circumvent them. For example, inside personnel are more likely to know what systems 
are actually honeypots, and avoid them. Inside systems arc more trusted than outside 
systems, and exploitation of those mist relationships is less likely to be detected. Some 
insiders I such as some of the network administrators) may be specially trusted with 
comrol over the systems used for attribution, or with secret information vital for its 
cITectivc use, and be able to thwart attribution. Ncvetihelcss. many attribution techniques 
do not fundamentally depend on secrecy of the technique, a single inside attacker might 
not know tome key pieces of mforroalion, and inter-system trust can be limited. For 
example, if multiple attribution icchniquet are used, most inside personnel are less likely 
to know of all of them. 

Thui. attribution is in some ways easier to accomplish against inside pcrsoniKl or 
systems than against outsiders. Tlili docs not invalidstc attribution techniques, because 
insiders perpetrate a significant proportion of all attacks. 

3.S Build Attribution Techniques into Common Components 

Deploying separate comporKiits for attribution, and pre-positioning them where 
prepositioning is ncccssaiy, is expensive in both time and money. Thin, it will be 
strongly misled by many. In many cases, it would be better to ensure that many of these 
techniques are built into cominon commercially-avaihble components such as routeis, 
firewalls, operating systems, and common network services (including authentication 
services, email, and so on), fhb would ease the burilen of widespread deployment, both 


44 



inside snd outside ■ netwtnk. In particular, support for oitribulion would be added 
without eflbrt during routine upgrade or repIscetncnL Hotwever. convincing developert 
to include these capabilities into their components is not necessoril)' easy. 

Developert may not see sulTicienl value in incoeporoiing anribuiion techniques into their 
products, to it may often require up-front negotiation and payment to have some 
attribution capabilities added to existing commercially-availoble products: 

1. For proprietary components, adding such capabilities will often require 
negotiation and payment of the developer of the componenL In some cases 
another option is available, developing a separate ‘‘ptug-in." An adv antage of 
"piug-im* is that developing the plug-in con be competed, and a plug-in con 
often be implememcd more rapidly (becouK negotiation with the product 
vendor is reduced or umteccssary). However, developing plug-im can be 
dilTicull (depending on the ncxibilily of the plug-in orchitcctutc), the 
likelihood of deploymcnl is reduced (because adding plug-ini takes additional 
administntive ume), and plug-ins are likely to be more difficult to mamuin 
over time as the product evoKea. 

2 . For open source software components, these options (paying the developer 
and/or developing a plug-in) are available, plus one more: the DoD could 
perform the modifications directly to the software An advantage of directly 
iiiodi^'ing the software is that the change con be competed ortd Implemented 
immediolcly. with far less implementation difTicuhy (c.g„ because there is no 
need to only stay inside a ‘^ug-in" architecture). However, changing the 
software directly has matmenance impacts If these changes arc not merged 
back into the Dusted repository of the open source software, long-term 
maintenance cosu can become large. This is because the open source 
software would change over time, diverging from the modiFicd software. 
Thus, in many cases this suggests a better approach would be to try to 
convince the trusted developers of that open source software project to accept 
the changes. Early negotialion with those who maintain the open source 
•oftware could be essential to increase the likelihood of the work being 
incotporaied into the “main branch" of the software. 

Another way to encourage including atDibution capabilities in coirunoo components 
would he to ensure that these capabilnies are added to relevanl DoD Prouction Pioftles 
(PPs). In some cases acquiring a product it contingent on a Common Criteria (CC) 
evaluation of the product tgalrul a PP. Adding the rcquircmcru to the PP might 
encourage vendors to meet the requirement. 

A related issue would be how the attribution capabilitv ii operationally enabied b it 
always enabled, enabled by defauh (but H can be configured lo disable il), or disabled by 
defauh (but it can be configured lo enable it)? Clearty, from the point of view of 
iltrihulion, being always enabled b the best altenuitivc. However, since some techniques 
have the potential to invade privacy or lower performance, that may not be acceptable lo 
other customers For many techniques, trying lo make il impossible lo disable the 



66 


capibiiit)' is i wistc of lime. .Administraiors mIki tnily want lo diMbk the capabilit) can 
often combine Ihe component wilb other components to thwart allribuDOn. or uk a 
diflcrent compooenl However, it may be rniHful lo try lo have some capabilities enabled 
by dcfaulL Any discussion with a developer of a commercially-available product 
(proprietary or open sourec) should include discussiom on how the capability will be 
enabled. 

>.6 Attribution Require* Funding 

Clearly U will cost money to build or buy attribution capabilities (either at separate 
components or as additions to other components), and there are administrative costs for 
installing, mainlaming. and using components supporting allributiotL Mow will these 
capabilities be paid for? 

There is little evidence that the commercial sector is willing lo primarily shoulder the 
costs of these capabilities. Commercial companies an cotKemed about DOoS atlacls. 
for example, but they arc often only interested in reducing their eftect. not in actually 
identi^’ing the attacker. Even if Ihe cost of attribution were reduced lo zero (an unlikely 
scenario), there seems little benefit to identifying attackers in many cases. Bringing a 
lawsuit against an attacker Is quite likely to be very expensive, and it is unlikely that 
these costs would be recovered. A company bringing a lawsuit risks failing to convict, 
and h is unclear if a conviction would actually reduce attacks. Some companies are very 
concerned about unwanted publkily any such lawsuit would entail Indeed, many 
companies are unlikely to see attributing attackers at their Job. Mott commercial 
companies appear to view identifying attackers at a law enforcemera or military task, not 
a commerctal one. 

Laws could be enacted requiring certain attribution capabilities be embedded in products 
for sale, or requiring providers of services lo implement certain capabilities. This is 
unlikely to be effective for most techniques. Most techniques' costs arc sufllcieMly large 
(especially if research is also icquind) that any such effort would be strongly resisted. 
One exception to this msy be network ingress nilering: it might be possible lo impose a 
requirement on Internet Service Providers to require that any data entering their 
backbones go through such s filler, at least for non>pecn. 

Another approach would be for the U.S. government or DoD lo require that certain 
products must have certain attribution capabilities before they will be acquired. In 
ihoory. vendors would add those capabilities and then pass those costs bock to men 
through higher prices. This altcmalivc approach only works with proprietary vendors, 
who receive fuiiding through usage Hcenses This would require convincing the vendor 
that the cost can be recovered with a profit - an argument that they may not accept It 
should be noted that in many markets the U5. government and'or DoD hat a very small 
portion of Ihe market A vendor can be disadv antaged by spending money to create a 
specialized fealure only wanted by a small portion of the market, because competing 
vendors will spend money on capaMlitics desired by more customers instead. As a result 
Ihe DoD may not have any viable application with attribulioii capabilities, or may ortly 
have inferior applkolions from vendors who decide to add (he attribution capability in (be 


re 



67 


hofic thal the U.S. gmcmmcnl or Dol) will have lo tw) it liuaead of ■ cimipeting uiperior 
product. 

ir the govemincM (including the DoO) wanu the ability lo attribute attacks, in many 
cases the govcrnmeiM may need lo pay (or it directly. One approach is lo fund 
development and deployment of these abilities for widely-used applications. More than 
one product of each category should be funded, so that the govcmmciu is not locked into 
a single product If the government cannot switch lo another product the vendor will 
probably raise prices substantially and is less likely lo provide good service. 


Standards are Needed 

Standards ore crilicilly necessary for attribution for the following reasons: 

• Interoperability. Many iechni<|ucs recpiitc automated inlenciHHi (for speed) 
between many diflcttni organisations and echelons, and it is anprohable that 
eaactly the same vendor would be used for all of them. Different 
organiutions will have preferences for difTereni vendors for a variety of 
reasons (pre-existing rtlaiionsbips, low cost enhanced functionality, working 
well with existing infrastructure, and lo on). Thus, for attribution lo be 
elTcclive on a wide scale, attribution standards lo support inler-venlor 
interoperability will be necessary. 

• Lower cost. By avoiding a proprietary solution from a single vendor, users 
may be able lo select between a variety of offerers- Campctiiioii between 
vendors usually lesulls in a lower price for consumers. 

• Lower risk. If a vendor goes out of business or stops supporting a product 
another can be used 

• Increased llexibility . If a product doesn't provide what is desired, another 
product con be used or the extensions can be developed (the latter is 
particularly cosy if it's an open source product). 

In theory, a standard could be held secret inside the DoO, but a componenl that u so 
widely deployed would be diflicull to keep secret In addition, lo attribuie external 
attackers the Information would have to be released anyway, so it is almost certainly 
belter to sun by developing pubikly available suuidaids from the beginning. Note that 
some will have signifleam privacy concerns, so standards development should include 
eflbrls lo address those concerns. 

Standards should be open, m poniculor 

• Standards should be publicly dermed and held. This way. no single vendor 
coraioh others, permitting compelilion. Organizalions that support 
developmeni of publicly defined and held standards include the Inlemel 
Engineering Task Force (IETF), the World Wide %'eb Conaorttum (W3C), the 


47 



68 


Institute of Electrical and Electronics Engineers. Inc. (IEEE), the American 
National Standards Inililutc (ANSI), and the International Organization for 
Standardization (ISO). The IETF and W3C are more commonly used for 
inicrnet-tclatcd standards, they ore also faster to respond oisd redistribute 
standards freely (mcrcasing the number of potential competitors). Thus, for 
many attribution standards, these organizations might be preferred. 

• Standards should not be patcnl-encumbcrcd. A standard that cannot be 
implemented without a patent license gives a special advantage to the patem 
holderfs). Such patents constrain or prevent competition, and thus undermine 
the advantages of standards listed above. Both tire W3C and IETF strongly 
discourage palcnt'cncumbcred standards for these reasons. 

Some specifications that could form the basis of standards for attribution include the 
following: 

• IDIP (of CITRAV This has two layers, the application layer (that uses CISL) 
and the message layer. 

• Common Intrusion Specification Language (CISL) 

• Idem etilensiofis (for SPIE) 

• ICMP Tracchack Messages (ilYoce) - this Is on IETF dial) 

• Results of the Intrusion Detection Exchange Format Working Croup (IETF 
idwg). including the Intrusion Detection Message Exchange Format (IDMEF) 
and ifflnisioo deiection exchange protocol (IDXP). Infomulioo on this 
working group is available at hnni.'/www.tetf.otu.'html.cluiners/idwe- 
charicfJumI 

• RlD-OoS, a simple draft protocol for inter-network provider comtnunicallon. 
This protocol defines messages for trace request, trace outhornation. and 
source found. Mote information b in [Moriarty 2003]. 

• Netwoik Ingress Filtering. IETF RFC 2(27 (note that this is already ■ 
standard) 

3.8 AUribution Techniques) Must Be Secured 

Cleirty, attribution techniques themselves need to he secured. They should be resisuuu to 
subversion by an attacker, in particular, attackers should not be able to comipt the data 
used for attribution or prevent attribution by directly attacking the attribution 
components An attribution technique sliould not create a new avenue of exploitation 
(c.g.. by creating a new technique for performing a denial of service attack against the 
system). In many cases, this will require authentication and checking for authoruotion. 
and ininaion detntion systems should note unauthorized requests. 


4 » 



69 


Maii> of Ihnc lechnitfuc* m)uuc tnm between multiple dilTercni otyoniniknu. making 
aecunng theae compooenta more difTicuh. 

3.9 Attribution Should Uaually Be Hidden from the Attacker 

In many caiea, an attribution technique ahould not reveal to an attacker that an attribution 
proceu exista or that one it being executed. This is especially diflicull if the 
adminixtraton of domaiiu along the path arc colluding with the attacker "Random" 
queries can help (where occasionally messages we randomly selected for attribulioni. 
However, employing a large number of random queries is only practical if the technique 
is highly automated and does not interfere with normal operation. 

However, in some cases hiding attribution capabilities may not be desirable Some 
attackers may decide to not attack at all if they knew that they risked attribution, or may 
break off an attack if they believe an attribution attack b ongoing. Thus, a known 
atvHiution c^iabilily may aotnetimes lervc as a useful deterrence The attribution 
capability or technique may no* even be real, or it may appear to use one technique when 
in fact aisothcr u being used 

Organizations will need to decide if they with to hide or reveal the existence of an 
aOribution ptocest, as well as the dcuils of that process. Organizations will also need to 
determine how they intend to implement the hiding or revealing. 

3.18 Senaor Placement la Important 

Many attribution techniques are baaed on the principle of establishing sensors of some 
kind, then analyzing and using the information from that sensor. Clearly, the infoimalion 
gained depends on the placement of those tensors. Two sensor placcmcnl Issues are 
particutarty relevant; sensor location, and whether or not the sensor b "in-line": 

I. LoaUian Clearly senaors can only be uieful if they arc placed where they can 
acquire useful data. ThU suggests that for attributioo purposes, senson should 
be placed not only near a defender, but also as twar to the attacker as possible 
to the attacker can be more accutalcly attributed. To support traccback. 
sensors must be located at relevant intermediate pointa as well, to enable a 
defettder to quickly locale the attack path 

3. Mutt or Non-tih-linr. Sensors can be placed as in-line tensors or as non-in- 
line (monitoring) sensors. In-line sensors require thsi ill sensing operations 
be complete (c-g., initial logging) before additional normal processing occurs. 
Non-in-linc (monitoring) sensors passively observe otscralioiu instead, but if 
they cannot keep up they lose data. The disadvantage of in-line sensors u that 
they may slow down overall processing. The disadvantage of monitoring 
tensors u that, if a network or system becomes overwhelmed, such senson 
may lose critical data, and Ihis b exactly the time where such data may be 
needed. Fundameiually, this b a tiade-olT between the quality of attiibutioa 
information (in-line) and perfomunce (noil-in-line). 


40 



70 


3.11 Many .Attribution Techniques Require Funding for Technology 
Transition 

CIcafiy, there are a number of adribution techniques. However, many of these techniques 
have only been implemented as non-rohust protolyyies, if they have been implemented at 
all. Some of thw techniques have been developed with UARPA funding (such at 
ISnoeren), (Sancher], (Schitackenbergl, and |Sietne|l, but OARPA does not have an 
obligation to ensure that its research work u eventually turned into working, useful 
products, even when that work h extremely promising Some work (such os |Burch 
2000]) con only be used utsder special legal circumstances atsd it unlikely to be a 
conunetcially viable product. For some techniques, govemmem devekipmenl it the only 
allenutivc if it it to be developed at all. 

Thus, there is a significanl need for a icchiMlogy tratMition plan with significacit funding 
if tome of the research concepts are to be turned into working products. 

3.12 t>egal/Policy lasuea Intcrtss-ine 

Although this paper conccninUcs on the technical issues, any deployment must carefully 
consider the legal and policy issues with attribution Many attribution techniques can 
only be employed by people in certain roles. Laws and policies ore often utKiear. and 
may need to be ciarified (or possibly revised) to employ some anribution tecbnlques. See 
(Aldrich 2002] for more on legal issues in attribution. 

3.13 Need to Protect Privacy and Freedom of Speech 

Some anributron technologies can be misused to subvert privacy, climirutc anonymity, 
attd climinole pscudonymity. This it especially a concern if attribution technologies 
developed in democracies ore acquired and redeployed by governments with abusive 
human rights records to suppress freedom of speech and democracy movements. 

Members of Congress have already expressed similar concerns. For example, the 
'Global Inlcrttet Freedom Act" (S 3M3 IS)' was proposed in the U.S. Senate on October 
10. 2002, to "develop and ^ploy lechnologiet to defeat Internet jamming and 
censorship,'' Their concern it that various countries keep their citirent from freely 
accessing the Internet attd obtaining international political, religious, and economic news 
and information; the proposed bill lists examples of such countries as Burma, Cuba. Loot. 
North Korea, the People's Republic of Chitu. Saudi Arabia. Syria, and Vietnam. This is 
similar to anti-jamming techniques already used by the Vbice of Amcrka. If these 
countries could easily use altribulioii techniques against their own citizciuy when those 
cilirens accessed or shored some kinds of informoiion (e.g., on democracy or religion), 
and jail or kill its citizenry for doing so, then attribution techniques could be used to 


' TIh icM of l)i< GloM Inurtwl Ftredom Act la ivuloMc at liap.''nlioiniu.lac.tov<c(i- 
Uyeiiaiy.-Z)clri:S'jm: 


&0 



71 


luppress Independent thought In oOier counuics. This result is not mlhe best interests of 
the U.S.; indetKl. h's not in the best interest of hummit) 

Even wiihosM the concern of abuse by foreign govcmmeius. ll£. citizens will cerulnly 
want their privacy against what they may perceive as unwarranted government intrusioo. 
Indeed, the fourth amendment to the U.S. Cotrstlhttioa guarantees that people must be 
secure “against utucasanable searches and seizures.'* 

Clearly, attribution techniques that pose less danger to privacy should be the ones most 
encouraged 

3.14 Rei|uired Attribution Times Will Continue to Shrink 

Some attacks will be slow, over a period of possibly months. But other attacks will be 
rapid, on the order of milUsccondt. (Stanifo^ 2002] discitsses techniques for attacking 
large numbers of syttems in very short times. For rapid attacks, attribution techniques 
will need to rapidly attribute the attacker before the attacker can “get away" or any useful 
data is hidden by a mass of disiracimg data. This suggests that automated attribution will 
be tttcteasingly necessary, and that manual techniques wrill became increasingly worthless 
agaimt certain kinds of attacks. 

3.15 Attribution ia Inherently Limited 

All technical means for attribution ate inhetenlly limited. These limitations nKludc 
attribution delay, failed attribution, and misaltribulion. 

3.15.1 Attribution Delays 

If an attacker uses a zombie to perfo r m a significantly delayed automated attack, it 
becomes extremely diflicult to attribute the attack path preceding that zombie. Even 
when tile attacker docs not inicntiarsally hKludc a delay, there is usually a delay in the 
defender's response that an attacker can exploit. This delay in the defender's response 
has many sources: the defender must determine that the message is an attack (or at least 
that it ia worth attributing), perfaim the attribution, decide on ■ response, and implement 
the response. An attacker may be gone before attribution hat idemined or located the 
attacker, and'or the attribution may have been made but too laic to perfoim an effeclKc 
response 

These weaknesses can be partially countered by comidering certain kinih of pre-attack 
activity to be a form of attack and performing attributioiL Examples of such pre-attack 
activity include foolprmting. scanning, and cimmcralion of systems on a network. 
However, some of these activities ore legitimate and/or not really attacks, and they occur 
constantly on the open Interact. Thus, attribution activities that have a high cost should 
not normally be used simply to attribute actions that may not be precursors to on attack or 
are reoccurring 


&1 



72 


3.15.2 Fiiilpd Attribution 

An iltrihulc technique may fail to attribute an attacker. Wideipcead prepoaitKininti and 
the use of multi(ric techniques can help, but ane not guaranteed. 

3.ISJ Misattribution 

An attribution process may identify the wrong location or identity of an attacker, a 
problem that this paper wrill refer to as mUaartbuilan There arc many possible causes 
for misatuibution, inchtding defective software, incorrect data, incorrectly interpreted 
data, and ambiguous data. Since attackers can perform various counler-measuies. 
attackers may intentiorull) send (or try to setsd) mcotrect data to an attribution process 

Attackers may even with to cause mitanributioo as their primary purpose, rather than 
actually be successful at the attack. For example, if there it already tension and conflict 
between two adversaries (e.g., two countries A and B), a third party (C) could tiy to 
attack one (A) and cause iIk sttack to be misattribuled to the other party (B). Thus, the 
third party couM escalate a conflict between others simply by forging attacks 

Ideally an attribution process would also report the confidence level in the attribution, but 
this infonnatiao is often not available. Thus, any use of attribution information must 
account for the (act that attribution always carries with it some uncertainty. 


62 



4. Conclusions 


Wc conclude the following: 

1 . There are ■ Urge number of different attribution techniques. Each technique 
has its strengths and weaknesser, no single technique replaces all others. 

2. Attribution is difficult and inherently limited. In particular, attackers can 
cause attacks to be delayed and perfoim their attacks through many 
intermediaries in many jurisdictions, making attribution difficult In some 
cases this can be partly countered, for example, by treating some informalion- 
gathering techniques as attacks (and attributing them), using muhiple 
techniques, and using techniques that resist this problem (such as 
exploiting/forcing attacker self-identirication and attacker surveillance). 
Nesertheless. because of the difficulty and uncertaimy in performing 
attribution, computer network defense should not depend on attribution. 
Instead, attribution should be part of a larger defense-in-depth strategy. 

3. Attribution lends to be easier against insiders or insider intermediaries. 

4. Frepositioning is necessary for many attribution techniques. 

5. Many techniques are immature and will require funding before they are ready 
for deployment If the DoD wishes to have a robust attribution capability, it 
muH willing to fund its development and deployment. 

6. A useful first step for the DoD would be to change the terrain of its own 
network. By this, we -mean modify DoD computers and networks to aid 
attribution techniques. This includes hardening roulers and hosts so 
exploiting them as intermediaries is mote difficult, limiting spoofable 
protocols, disabling broadcast amplificalion'ienection. artd implementing 
nelwtirk ingress filtering. Changing the terrain should also be applied to key 
networks the DoD relies on. to the extent the DoD con convince those network 
owners to do so. 



74 


Appendix. Attribution Technique Taxonomy 


There «re existing taxonomies of attribution techniques. For example, [Wang 2001a] 
divides ‘Tracing approaches” into two categories: host-bnsed and network-based, each of 
which can be ctassifted as being active or passive, iiowever, these taxonomies do not 
appear to suggest the many possible techniques described in this paper. 


Figure A. I presente a possible taxonomy of the attribution techniques as defined in this 
paper The figure shows that the task of attributing attackers con he divided into 
techniques that actually perform attribution, as well as techniques that modify the 
environment to simplify attribution. Performing attribution can be further subdivided 
into techniques that trace backwards from some given point, techniques that send data 
forward from a given point, and techniques that view network/host from an external view 
and extract attribution information using that viewpoint 


, -- — frm lttre 


1. iSi«r« A IracHtsck OvcHc* 

2 . ftHorni l»p«l Ddivtiiat 
is Qmi7 HmU 



Modif> 
Envi 


7, IftMfl llttM 

'lie Emptoy Rc«tnt Ftim 
ScMd AiMkim^Ib Netwwt 3. Tr«»inlil«4 Metupn 

D«a Eon««*a v ^4 Tr«ii»ii»ll Mmagn 

frooi Pa«d * .. c -• 

FtP«n Source^ p, F.«pkiM/F«#c« AtUrlitr 

\ ScIMikutifkatiM 

15. AltMicr 

Cjdnmlt) (I, ll«»«ryp»l/li*B*y»rl 

Olwrnrt 

laKv^Uu t.M.lcli 

SypaT si«.« 

12. f erfona I'llicrias Nar»»J 

(Network I Rimt FUtcrMp) 


. 11. InqikfReol 
kpusf rrebraik* 

»14. Scevrv lleelkiVoMlen 


IT CeaMne Te«bNiq«r> 


II. E«pl«y 
Eerwonl. 

I IDS 


Fifurr A.1. Attribution Trchnlque Taxonomy 


Tracing backwordii from some point (i>'pkaU> the defemter) bock towtud the sttacker can 
use dilTerem kinds of information. One approach is to require intermediate systems to 
store logs (historicnl information of some kind) that can be later queried. Another 
approach is to request intermediate systems to report the “next time” a message of a 


A-; 





ceruin pincrti it delected. A third ipfiroach it lt> examine the current stale of a host (or a 
router, but usuall) ruulcra have no inicrctting “current Hale"). Hosts can he queried if 
they support such queries, and if not. querying capabilities can he inserted into them 
Many protocols have bi-directional dau Hows: the reverse flovr leads back to the anacker 
nr attacker mtermcriiaiy and may be exploitable as well. 

Sending attribution data forward can occur from some pomt inside the intermediate 
network, or from the source (anacker). Inside a network, the data can be sent by 
modifying messages as they are sort, or via sepamicly -transmitted messages. It may be 
pouible to anribule the anacker directly at the source, by cxpkritii^ dau the attacker 
sends and/or by surveillance of the attacker 

Fjciemally observing the hosl'neiwork may also provide attribution information. Systems 
(or virtual systems) thu arc not being used for nomtal work may be set up tpecirically to 
support detection and attribution. i.e„ boneypols or honeyttets. Systems that arc bemg 
used for normal work can be actively modified lo suppoit attributim (ijC.. reconfiguring 
the network and using those results to suppoit anribulion). Alternatively, the systems can 
be passively monitored for attribution information: messages can be used individually, or 
pairs of messages can be used to identify matching flows (also called streams). 

The environmem could be modifled lo support attributiocL The environment's links, 
protocob. and/or nodes can all he modified lo make H more difTiculi for an attacker lo 
hide their location or idenlity. In some cases, the environmental modiflcatinu can reveal 
so much about an attacker that they have the elTeci of performing anribulion by 
IhemKives This is ptrticuliiriy true for network ingress filtering, a specific approach 
using the “perform flilering" technique. 

Note that techniques can be combined. In some cases, imc technique can compensate for 
the weaknesses of another. 

This uuonomy u probably not compicic. It is quite possible that there will be future 
attribution techniques thH will require this taxonomy to be extended. An area 
panicularty likcK lo be expanded b externally observing hosls/networks in normal use. 

Better taxonomies will probably be developed in the future. However, the taxonomy of 
Figure A.I should aid undersunding of the many techniques already documented in the 
public literature. 



76 


References 


Mrff . To uid rapui acgussifion of particidor rejcrrncci, VRLs ore provided for many 

references. Some of these VHls may no longer he valid 

(Aldrich 20021 Aldrich. Rick. July 9, 2002. Computer Af fwior* Defense Attribution 
A Legal Perspective Prejuued for the tkrenic-wiJe InfomuHkm AsMirance Program 
IDIAP) 

(Asaka 1999a] Asaka. Midori, AUushi Taguchi. and Shigeki Colo, "The 

Implementation of I DA; An Intrusion Detection Agent System", in Proceedings of 
the llth FIRST Conference 1999. Brisbane, Australia, June 1999. 
htin://ty\st».sillcondefensc.com/reseafch''it rev'archive/tracing- 
napers'-M ii«99 iraein a using mobile agcnts.pdf 

[Asaka I999bj Asaka, Midori, Shimji Okazawa. Auushi Taguchi, and Shigeki Goto. 
June 1999. “A Method of Tracing Intruders by Use of Mobile Agents”. INET'99. 
httoV/www.silicoodcfense.cqrti^tese arch'itrex/archivcAtacing- 
rrr'r mtfcll'*** i mcina using mobile agents-pdf 

[Asaka 1 999c) Asaka, Midori, Masahiko Tsuchiya, Takefumi Onabuta. Shunji 

Okazawa. and Shigeki Goto. November 1999. "Local Attack Detection and Intrusion 
Route Tracing", lEICE Transaction on Communications, Vol.E82-B No.l I, pp.l826- 
1833. http://wwwjilicondefensexom'research^itrcx^n rchive/tracinB- 
paDeTs.'asaka99local attack . detectio n and tracinandf 

(Arkin 2002] Aikin. Ofir. 2002. "Trace-Back: A Concept for Tracing and Profiling 
Malicious Computer Attackers." London, England: Atstake Limited. 

[Axelsson 2000] Axelsson, Stefan. March 14, 2000. “Intrusion Detection Systems: A 
Survey and Taxonomy." Technical Report No 99-15, Dept, of Computer Engineering, 
Chalmers University of Technology, Sweden. 
httn:'/citcsecr.ni.nec.cp m/axeli(iionQ(linlrti>ic>n.himl 

[Bellovin 1989] Bellovin, Steve. 1989. "Securhy Problems in the TCP/IP Protocol 
suite." ACM Computer Conmunicalions Review 19/2. pp 32 • 48. 

[Bellovin 1996) Bellovin. Steve. May 1996. "Defending Against Sequence Number 
Attacks." lETT RFC 1948. http://www.ictf.ont/rfc/rfc 1 948,1x1 

[Bellovin 2000] Bellovin. Steve. “ICMP Tracebock Messages" draft-bellovin-ilrace- 
OO.txt hnD;//www.re8earchan.com/-smlv'wiPcrs'dran -bellovin-itrace-00.txt 

[Bemsleinl Bernstein. DJ. "Syn Cookies." http.//cr.yp.lo/syncookies.hlml. 


RelcrvrK«»-l 



77 


[Buchhobcl Buchholz. Florun, Thomas E Danielt. Benjamin Kupemun, Clay Shieldi. 
“Pacicel Tracker. Final Report" CERIAS. 

{Burch 2000] Burch. H., and B Cheswick. “Tracinj anonymoro packets to their 
approximate source." Proc. Usenix LISA '00, December 2000 

{Carrier 2002] Carrier, Brian, and Clay Shields. 2002. A Recursive Session Token 
l^ocol For Use in Computer Forensics and TCP Traceback. 
htlo:./cileseef,ni.i>cc.c om/? I ny.t|(,tuml 

(CERT I W6{ CERT. September 19. 1996 "TCP SYN Flooding and IP Spoofing 
Attacks." CERT Advisoiy CA-I996-2I htm:/i'w>ft»xett.ofyadvi>oricv('A-l996- 
2l.html 

{Chang 1999] Chang. ItY., R. Nariyan. S J. Wu. B.M. Vetter, M. Brown. JJ. Yuill, 

X. Wong, C. Sargor, F, Jou, F. Gong May 1999, "Deciduous: Decentralized Source 
Identification Tor Nctwoik-bascd Intrusiom,* 6th IFIP/IEHE International Symposium 
on Integrated Network Management. IEEE Communications Society Press. 
hnpi'Vwww.silicondefeose.convrcKarch.ltrcxarchive.'tracinB- 
Dai»ct>'chang99dccidw».pdf 

{Chang 2000] Chang, H.Y, P, Chen, A. Hayatnagaikar, R. Narayan, P. Sheth, N, Vo, C. 
L. Wu, S.F, Wu, L. Zhang. X. Zhang, F. Gong. F. Jou. C. Sargor, and X. Wu Januaiy 
2000. "Design and Implemenutlon of A Real-Time Deceimalizcd Souicc 
Identification System for Untiusted IP Packets " /’roceedMgr ijf the DARPA 
InformatUHi SunAvaUtUy Cor^mner A Eiposttion fDlSCEX 2000). IEEE Compmtr 
Soaeo-rnss. hnp;y/www.silk;<indefetise com/rwearch'ltrex^ archive/lrecintt- 
BMitrVdiaMOPdcsim and imolcmeniation of realtime.odf or 
httD:/.'shan«.cac.ncsu.e du/Daeervdcsimixlcciduous.Pdf 

{Chang undated) Chang. Ho-Yen, S.Feltx Wu. C. Sargor. X. Wu. Undaurd. "Towards 
Tracing Hidden Attackers on Uiitniated IP Networks" 
http:'hvwwsilic<»nilcfi!iue.ciitn/iesc afch1lrex/aichite1ricln»- 
paoctachaneClOiowards Iracinit hidden ailackers.pdf 

(Cheswick I992J Cheswick. Bill. Januaiy 1992. “An Evening with Berferd: In Which 
a Cracker is Lured, Endured, and Studi^." Proctrdinfp'o/ the Uiuntx H'lnter 92 
Coi^rtnet. 

{Cisco I] Cisco Systems. Characterizing and Tracing Packet Floods Using CiKo 
Routers. hnoy/wwwcisco.com'wanVnuhlic 707'22.html 

(Cisco 2) CiKo Systems. IP Source Tracking on CiKO 12000 Scries Internet Routers 
hni>://www. cisco com'univemkccnd'doc'ptr.diict'softwarc'ios 1 20' 1 20 ncw ft' 1 20limii 
'I20v'120s2l/1nst.hlm 

(Cohen 2002) Cohen, Peter. Januaiy 25. 2002. "Timhuktu used to recover stolen 
■Mac." MacCrntnA Mac Publishing LLC. 
hnp./hnaccenlral.macworld.cpm.'new st)20 1 /25 Jimbuktunhn 


IUr»r«fK»f-2 



78 


IDARPA 2002J DARPA. 2002. “DARPA Suiemcnl on eDNA and The Sew York 
Times MOO of November 22.' hHn-.//www.danio.mil'bo«h .'i>JP«taleincnl.Ddf 

[Dean 2001] Dean, D.. M. Franklin, and A. Stubblefleid. Febniary 2001. 'An 
algebraic approach U> IP Traceback.' /’roceedings cf the 2001 A>n»or* and 
Disirikuied System Security (SDSSj Symposium. 
h np:< w^^.Mlicondefciwc.com'rocafch^orcii.'irehivfr'tfiiinA- 
parcrvdca nOlalitcbfak anoroach.pdf 

(OcciduotuI Oecentralired Source Idetniricalkm Tor Networi-Ba»d Inmisioni. 
Coiuaci: Chandru Sargor. 

hlln-./'»-m> ant mcnc (ira'nrv>lcciyPetiduou»'I)ctiduout.hnnl 

[Diclhch 2002] Dietrich. Sven, John McHugh, George Weaver, and Tom LongstafT. 
March 12, 2002. "Cumni Active Network OefenK Technique*." Active Network 
Defetue (AND) Meeting. June 21. 2002. 

IDmrkhl Dittrich, Dave. Dinributed Denial of Service (DDoS) Attacks/toob 
W'ebihc. hnoi/.'»lafT wathinetnn edudittrkh/mitci'ddo* 

(Doeppner 2000) Doeppner. Thorn** W.. Philip N. Klein, and Andrew Koyfinan. 
'tJting Router Stamping to Identify the Source of IP Packets." 7ih ACM Conference 
on Computer and Commwiicationi Security (CCS). Alheru, Greece. 2000. pp. I M- 
IS9. hno:/ 'portal acm.ore.'cltation,cfm?dold*3 S2600.352627 

(Dunigan 2001] Dunigan, Tom (th<k§|oml.gov). June 2001, Backtracking Spoofed 
Packets. ORNL/TM-200I/1 14. http-.//wwwx»m.oml.eov/-duniirarv'oci1>kifk.hUnl 
(listed as “preliminary tech report"). 

(EPIC 2002] Electronic Privacy Information Center (EPIC). November S, 2002. 
"Cookie*." httpi'/www.epic.orc'tifivacv/intemet/cookie*/ 

(Floyd 2001] Floyd, Sally, Steve Bcllovin, John loannidiv Kirecii Kompella. Ralul 
Niahajan. Vem Paxson. July 2001. “Pushback Messages for Controlling Aggregates 
in the Network." Internet Draft diaft-floyd-pushback-mess^p»-00.txt. Submbskm 
dale Jul. 2001. expiration dale Jan. 2002. 

htip;/'www4ilicot>defctix.com'ttscarch1lrevatvhivc’trBCtmt-ga Pcra''draft(lc»d- 

PV>(l^Nt^^^KtHgg^W.BI 

(IETF IIII2| Baker, F. June 1905. “RequiremenU for IP Version 4 Routers.” IETF 
RFC m 2. hitp:/'wwfw .ictf,org/rfc/rfc 1 8 1 2.ui 

(IETF 2827) Ferguson. P.. and D. Senie "Network Ingress Filtering: Defeating Denial 
of Service Attacks which employ IP Source Address Spooling." Request for 
Commenu (RFC) 2827. IETF. hnn-.''iwww.ietf.onfrfc/rfc2K27.ut 

(Honeynet 2003] HoiKynet Project. January 7, 2003. Know I'our Enemy Honeynets. 
http/'proiect .honey net .oni'WPcts^onevnet 

jloannidi* 2002] loonnidis, John, and Steven M Bcllovin. Feb 6-8. 2002. 

“Impicmeffling Pushback: Router-Based Defense Against DDoS Attacks” Proc, of 


R«(i»r9iiap*'3 



79 


the Network and Distributed Systems Security Symposium. S«ii Diego. CA. 
hBP /'>«f>»>*,i»«,wlKK^coofeteniesiKlss^i'nrocetdinB>/wtwrv"^ 

(Jang 2000] Jang, Heejin and SangwivcA Kim. December 2000. "A SelfExleuian 
Monilaring for Security Managemem.” I6ih Anmud Computer Security AppUcatiom 
Conference, New Orieaoa, Louiliana. hltp:/'www.silicotKkfen<e ciMn/rttcatchfitie\.' 
intii»t/LtKl ng-PMier>''i»ngOO*elf-eatens«)n tnonitonnf pdf 

(Jayawal 2002] Jayawal, Vika*. William Yuicik. and David Doss. June 2002. -'Internet 
Hack Back. Counter Attacks as Seir-Dercnsc or VigilaniismT" Proceedings of the 
IEEE Intemaiionat Symposium on Technology' and Society fIST.iS), Raleigh, NC. 

[Johnson 1999] Johnson, Neil F. 1999. “An Iniroductioo to Watermark Recoveiy from 
Images “ Proceedings of the SANS /ntruuon Detection and Response (ID '99). San 
Diego, CA, February 9-13, 1999. hnD;"www .iitc .oom'Dub'idr99a him 

(Jung 1993] Jung, H. T.. H. L, Kim. Y.M. Seo. G. Choe. S L. Min. C.S. Kim. and K. 
Koh "Caller id system in Ute internet environment.'' IfNlX Seciulty Symposium IV 
Proceedings {I99i),pp.69-7K. 

[Junkbusters 2002} Junkbusters. 2002 “How Web Servers' Cookies Threaten Your 
Privacy' http/'www junkbusters coitv'tookies html 

|Kawar2002J Kawar. Mark. July 26. 2002. “Nebraslumt build ami-hacker softwrue " 
Omaha World Herald. 

|Ko) Ko. Calvin. Deborah A. Frincke. Terrence Goon, Jr., L. Todd Heberlein, Karl 
Levin. Biswanath Mukherjec. and Christopher Wee. "Analysis of an Algoritiim for 
Distributed Recognition and Accouniabili^.“ Isl ACM Conference on Computer and 
Communicatium Security, 

(Lee 200 1 1 Lee. W,, and K. Park, "On the EfTecliveness of Probabilistic Packet 

Marking for IP Tmccback under Denial of Service Attack." Proceedings of IEEE 
htfoCon 2001, 

(Lee 2002] Lee. Susan C-. and Clay Shields. “Technical, Legal, and Societal 

Challenges u> Automated Attack Tmccback." IEEE TT ProfesslomA. May/Junc 2002 
(Vm. 4. No. 3) pp. 12-1*. hltD:''/www.com[niter.orit/itnru.'it2002)13toc.htm 

[Markoff 2002] Markoff. John. November 22, 2002. “Agency Weighed, but 
Discarded, Plan ReconTiguring the Internet " The New York Dmes. 

[Matikin 2001] Mankin. Allison. Dan Massey, Chien-Lung Wu. S. Felix Wu, Lixia 
Zhang. 2001. "On Design and Evolution of 'Iniention-Dnven' ICMP Tracehack." 
Proceedings of IEEE Inicmatinnal Conference on Computer Communicaliuns and 
Networks. 2001. 0-7803-7128-3/01. httpy/sec Iab.cs.ucdavit.edu'pancrs027- 
lITrace.iidf 

[Mansrield 2000) Mansfield. Gleim, Kohei Ohta. Yohsukc Takei, Nei Kalo. and 
Yoshiaki Nemour. 2000. "Towards trapping wily intruders in the large". Computer 
Networks 34, pp 659-670 (2000). 


Kellir«B0s»>4 



80 


hnp: wm-M .. 

iifKn/m«n»liekHX)wilv hjcfcCT.nai 

IMcCullafh 20021 McCuliagh. Deckn. "Penugon backs ofT on Net tD Mgit." 
httD;^/zdncLtom.coniraiOO-l l05-9ft0ffM.>mtil 

[Miiiovic] Mitkovic, iclena, Janice Martin and Peter RcUter. “A Taxonomy of DDoS 
Attacks and DDoS Defense Mechanisms.* Computer Science Oepanment, 

University of Callfomia, Loa Angeles. Technical report #020018 
htwy/wwu kir.cs.Mck.cdu'ddos'wcIa lech . retxitt , 02001 8.pdf 

(Memam- Webster 198}) Merriam- Webster 1983 Webster's Ninth New Collegiate 
Dictionary .SpringTield, MA: Merriam- Webster Inc. ISBN 0-87779-508-8 

(Miles 1999) Miles. Stephanie. February 24. 1999. ‘'Intel downplays chip hack 
report." C/Net hltn:''''iiew t.com.cont'2 1 00- 1 00 1 -222 1 82.hunl71einicv -cnet 

(Moriatty 2003] Moriarty. Kathleen M. Febniary 10, 2003. "Distributed Denial of 
Service Incident Handing: Real-Time Imer-Nctwork Defense.” Work ui Progress. 
Internet-Draft draft-nioriatty-ddos-rid-03.lxt Expires August 10,2003. 
flp:."ftp.iti.edu/'intemct-drans/draft-monany ■ddot-rid-03.txt 

(NAf) Advanced intrusion Tracing and Response. 

hMity/tlPwnloidjai,cotn/PTPducts'nKdk'nai/tidPNAI-Lab»-AITR-l-5-0I.Ddf . See 
also http ./iwww .ngn.com7esearcltnailabv adnnlive-networks.aan 

lOhta 2000) Ohta, Kohei, Glenn Mansfield. Yohsuke Takei. Nei Kalo. July 2000. 
"Detcctiost, Defense, and Tracking of Internet-Wide Illegal Access in a Dnlributcd 
Manner." Proceedings of the 1 0th Annual Internet Society Conference (INET 2000). 
hop.' WWW. line, onc'isoc^ctmfcrencc v'met'OO cdPwcccdingii^lPlf 2.htm 

(ORNL) Oak Ri(^ National Lab. "Backtracking Spoofed Packeu' (web site) 
hup.:/^www,csm.tini|.gOT/~duni£an'oci'bkuk.hlnil 

(Park 2000] Park. Kihong, and Hec)o Lee. June 2000. "On the Effectiveness of 
Probabilistic Packet Marking for IP Tracehock under Denial of Service Attack" 
Technical Report CSD-OO-OI 3. Department of Comptiter Sciences, Purdue 
University. httni/^wvvwailicondefenw.coiiv'research'itrex/archiveTnicing- 
napctynaikOOcfTcctivcness technical nancr.ndf . An extended abstract of the report 
was published with the same title in Procec<bn/p of the IEEE lSFCKOh4 "Ol. pp. 
338-347,2001. 

(Partridge 2001) Partridge. C.. C Jones, D. Waitzman, A- Snoeren. November 2001, 
“New Protocols to Support Internet Tracebock." 

hllpy/)Vww.ir.bbn.tom^(kKumcnlYinternet drBRvdraft-nartridee-iimt-diKust-OO.tvt 

(Provos 2002) Provos, Niels, and Peter Honcyman. "Detecting Steganographic Content 
on the Internet* hllp:«bocx>nt''isoc'ConferCTces.'ndsaA)2.'Procceding6 

(Purdue 2000) Purdue Results ofthe "Attack Traceback Summit Proceedings" of 
September 6-8. 2000. htip^'.'www ,cerias .ourdue.edu'ev entslmcehack' 


IUCiir«fie**>5 



81 


IRiociuli I999| RicciMi. Mike. March 7. 1999. “MicroaoR atiiniu privacy prohlem. 
plans n»." ClNet hnpy/ne<«.vc qm. com/2 100- 1 040-;;2673.hltnt?lciiacv^i>i!l 

I Silver 1998] Sager. Olenn November 30. 1998. "Security Fun with OCxmon and 
cnciviid.' lmeniel-3 .Measutemeni Working Croup. 
hnn:''\v>vvs cai(>a.on: ntoicctv'nei'c ooirnt'sccuriiv 1 198 

(Sanchez 2001] Sanchez. Luis A.. WallerC. Milliken. Alex C. Snoeren, Fabricc 
Tchakuunlio. Christine E. Jones. Stephen T. Kent. Craig Partrige. and W. riniothy 
Strayer. "Hardware Support fora Hash-Based IP Traceback." Proceedings of the 2nd 
DAM*A Information Survivabilitv Conference and Exposition (DISCFJi II). pp. MO- 
IST. Anaheim. CA.June 2001. 
htmy/www.ir.bbn.cptn/pfoiccts'SPIE/pubsdisccxOl.html 

(SANS 2000a] SANS. February 23, 2000. Consensus Roadmap for Defeating 
Diitribuled Denial of Service Attacks: A Projea of the Partnership for Critical 
Infrastructure Security. Version I.IO. h«B:Vwwwjans oni'ddus roadman him 

(SANS 3000b] SANS. Egress Filtering v 0.2. February 29, 2000. 
httn://u-ww.sant.org/v 2k/cifess.hlm 

[Savage 2000) Savage, Stefan. David Welherall, Anna Karlin and Tom Anderson, 
"Practical Network Support for IP Traceback", Proettdings cf the 2000 ACM 
SKiCUMM Coitfmnct. pp. 295-306, Stockholm. Sweden. August 2000. See 
(Savage 2001). linB;//Vi-vvw.M,washinglon.cdu/homev'savaBehrn ccbitck.htinl 

(Savage 2001] Stefan Savage , David Wetherall , Anna Karlin , and Tom Anderson. 
June 2001. Network Support for IP Traceback. lEEE/ACM Tramaettotu on 
Setworking (TON). Volume 9, Issue 3. 

(SchaelTer 2000) SchaelTer. Richard C.. Jr. "TESTIMONY of Richard C. SchadTcr, 
Jr., Director, Infrastructure and Infontiation Assurance, OfTice of the Assistant 
Secretary of Defense (Command, Control. Communication, and IntelligeiKe) before a 
hearing of the Subcommittee on Covemmenl Managcmcnl, Information, and 
Technology, July 26. 2000, Conipulcr Security: Cyber Attacks • War without 
Borders." 

(Schnackenberg 3000) Schnackenberg. D.. K. Djahandari. and D. Sicme. 

"Infrastructure for intrusion detection and response." Troc First DAJtPA h^urmanon 
Survlvahiltt)' Conference and Exposition, Jon. 2000. 
httn.»ww-w.silicondcf cnse.conVfeseafchiltex/archlveAtacina- 
papcts'schnackenberitOODISCEX i ntrusion detection and tesponse.odf 

(Sharp] Sharp. Walter Gary, (then at MITRE) "Key Legal Implications of Computer 
Network Defense." linp://www.MitckhaLct.m/htnit/bh-mulii-mcdi»-arehive>,html 

(Silicon Defense] Silicon Defense. Traceback and Retated Papers Archive. 
lmpi:''www,tiliMnt>cfcilx.tom'rcscarchilreivarchivcnnicine-nai>ers 

(Smith) Smith. Richard M. “FAQ; Web Bugs " VeriFicd October 24, 2002. 
httP^' WWW oriv aev fou ndation.on!,'rcsourceVwebbuB.avn 





82 


|Siupi> I99U| Snapp, Steven IL. Junes Brentsno. Gihao V. Din. Temnee L. Coen, 

L Todd Heberlem. Cbe-Lin Ho, Kitri N. Levitt. Biswwuilt Mukheiiec. Stephen E. 
Sinaha, Tim Grance, Daniel M. TcaL uid Doug Mansur "OIDS (Distributed 
Imruiion Detection System) < .Motivation, Architecture, and an Early Prototype." 
Proceedings of the l-tih A'orional Cootpuer Securil)- Confertnet. Washington, DC. 
Oct. 1991, pp. 167-176. httD,'/seclah.ci.ucdavit.edu JiMi>ciVDIDSjtc>c9I.Pdf 

(Snapp 1991b] Snapp. Steven R., James Brentano, Gihan V. Dias, Temnee L. Goan, 
Tim Grance, L. To^ Hcbertein, Che-Lin Ho, Kul N. Levitt. Biswanath Mukherjee, 
Douglan L, Mansur, Kenneth L. Pon, and Stephen E. Smaha. "A system foe 
Distributed Intrusion Detection." In COMPCOM Spring *91 Digest of Papers, pages 
170-176, Febnury.'March 1991. hnp:/rscclab.cs.uedavis.edtt'oaoerv'iidfs/s<-ib-9l .pdf 

(Snapp 1992) Snapp, Steven K., Stephen E Smaha. Daniel M Teal, and Tim Grance 
1992. "Tte DIDS (Distributed Intrusion Detection System) Prototy pe." In 
Proctedmgs of tht Summer USESIX Cor^rrnce, pages 227-233, San Antonio, 

Texas. 8-12 June 1992. USENDC Association. 

(Snocren 2001 ) Snoeren, Alex C., Craig Partridge, Luis A. Sanchez. Christine E. 

Jones, Fabrke Tchakountio, Stephen T. Kent. W. Timothy Strayer, "Hash-Based IP 
Tmceback" liMp:/^wsv’w.acm.ore.'siiteoiitin'siitoo(tim200l/pl .himl 

[Song 2001 ] Song, D.X., and A. Peirig. "Advanced and authenticated marking 
schemes for IP traceback." /hoc. IEEE fofonm VI. April 2001. 
hnpy/wwsv.cs.herkclev-cdu'-dawnsona/ciiiceiVtr ititface.PS 

(Staniford-Chen 1995a] StanifonKIben. S.C.. "Distributed Tracing of Intruders." 
Master’s Thesis. University of California, Davis. 1995. 
hnp;">v*-»jilic<itidcfcnse4;om'research/Htex'archiveAracm»- 
papers staniford95disti ibuted tracing of intruders odf 

(Suiniford-Chcn 199Sb| Slaniford-Chen, S.O.. and L. Heberlcin. "Holding Intruders 
Accotauable on the IntemeL” Proetedtngt of iht 1 99} IEEE Symposium on Securuy 
anil Privacy (Oakland, CA. May 1 995), pp. 39-49. 
btlP-'.'Kclab.o ucdavl>-edu'paPetsAhumb.icee95jsdf 

[Staniford 2000] StanifonL Stuart. Inlerm Trap and Thset. 

hBPi/'swwallicondefcme.cnm'pptmextnrrapTricc 9 07 OO.mtt 

(Staniford 2002] StanifonL Stuart, Vem Paxon, and Nicholas Weaver. "How to Own 
the Internet in Vour Spare Time." Proceedings of ihe lllh VSESLV Seaaiiy 
.5y«tpairoiis(Security02), hHP."www lctr ore;v^pnnefs'cdc-uscniit -84002 

(Sterne 2001) Sterne, Dan, Kelly Djahaiidari, Brett Wilson, Bill Babson, Dan 
Schnackenberg, Harley Holliday, and Travis Reid. "Autonomic Response to 
Distributed Denial of Service Attacks.' RAID 2001. LNCS 2212, pp 134-149. 
http:^'v>-ww.c>e.ogi.edw'-wuchanu'csc58l >»lnter20O?hwni!ri/22l20l34.odf 

[SteriK 2002] Sleme, Dan. Kelly Dyahandari, Raviitdra Balupari, William La Chollct, 
Bill Babs^ Brett Wilson. Priya Narasimhan. Andrew Purtell. Dan Schnackenberg. 
Scott Linden. "Active Network Based DDoS Defense." Proceddings of the DARPA 


IUfi*renc«*-T 



83 


Active Netvwxis Conretence and iixpositian (DANCE <C)- ISSN 0-7695- 1 564-9iTO. 
IEEE Computer Society. 

IStoll 1990) Stoll, CUffbnl. 1989. 1990. rhrCucAoo'jiEjgr. rnidt()ij;a^‘7Voiq(Ai 
iht Stau of Computer Esptonagt. New Yocfc: Doubleday. 

(Stone 1999] Slone, Robert. October 1, 1999. “CenlerTraek; An IP Overlay Network 
for Tracking DOS plocKk.'* 

hitp:'''www.ut.uu.tict'gfx/eroiccta^sccuritv/centeilrack.Ddf . See also its republication 
in the Proceedings of the 9th Usenn Security Symposium, August 2000. 
http. 'www u>CTiix.org>nublicaiionsTibran 'iirocccdingysec2000'Stonc.l>tml 

(Templeton 2003] Templeton, Steven J.. and Karl E. Levitt (V.C. Davis) “Delecting 
Spoofed Packets ' Proctt4mpofThe Third DAWA htformatum SurvnabiUty 
Cor^rtner and Exposition (DISCEX III), Washington, D.C., April 22-24, 2003. 
httP;//scclab.csucdivis,edu'Piim'Delcctin«SPoofcd-DlSCEX,t»df 

(Thomas 2001) Thomas, Rob. February 8, 2001, Tracking Spoofed IP Addresses 
Version 2.0. hitp;.'^www cvmru com'-r obt/DoM/AnicIcvtracking-sPoofcd.himl 

(Van 1997] Van, Van C. May 29, 1997. A Defense Against Address Spoofing Using 
Active Networks MIT Master's Thesis. 
http/'wwwj<h.lcs.mit.edupublications\an97Jitml 

(Wang 2001a] Wang, Xinyuan, Douglas S. Reeves, S. Felix Wu, Jim Yuill. 2001. 
“Sleepy Watermark Tracing: An Active Network-baaed Intrusion Response 
Framework.* hnp://www,cs.tK;daviixdtt'-wti'i>ublication>70QI-Q.3-walcrmarit- 
tficaajMtf « linp;'.''iinm.tK jKMi.aliii'iaiim.hiiii 

(Wang 2001b] Wang. X,. D. Reeves, S.F. Wu, “Tracing Rased Active Intrusion 
Response,* in Journal of Information Warfare. Volume I, issue I, September 2001, 
pp. 50-61. hnp:'''atQos.cK .ncsu.cduMccrsJitm 

(Wang 2002) Wang. Xinyuan, Douglas S. Reeves, Shyhisun Felix Wu. 2002. “Inter- 
Packet Delay Based Correlation for Tracing Encrypted Connections through Sicppini; 
Stones.* 7rA Esiropean Symposium on Research in Computer Security lESORICS 
2002), Zurich, SwHaertaiid, October 14-16, 2002, Proceedings. Lecture Notes in 
Computer Science. Springer 2002. ISBN 3-540-44345-2. pp. 244-263. 
htm:''anic»s.cx.ncsu.cdu'papnijnni 

I Wheeler 2002] Whcckr, David A. July 2002. Secure Programming for Linux and 
VntxHORnX) hnot.^www dwhecler.conv'iecure-programs 

(Wright 2002] Wright. Matthew. MIcah Adler, Brian N. Levine. Clay Shields. “An 
Analysis of the Degradation of Anonymous Protocols * 
hnp;yisocx>m'isoc'confetences''ndsv02,'proceedinm 

(Wu 2001] Wu, S. F,, L. Zhang. D. Massey, and A. Mankin. “Inlcntion-drlven ICMP 
IracehKL* Inleniet Draft, IETF. Feb. 2001. draft-wu-itrace-intcnlion-OO.txL Work 
in progress. hlln:/'www.tlllcondefcnie.cont/reseiircK'itrex.archive3racine- 
BMNn(<tndl -wy -iifBtt-iniCTiipfi-<>Pt)n 


R*fefvncM’>8 



84 


|Yod< 2000| Yoda, Kunikuu, and Htmaki Etoh. (IBM Japan). October 2000. 

“rinding a Connection Chain for Tracing Intruderv** tn 6th Eumoetm Simnnuum on 
Rtttarrh m Compuirr Sr earm- - ESOUCS 1000. Toulouw. France Edited by F. 
Guppens . y. Dcswaitc, D. Gollman. and M. Waldner. 
hnn;'»icn».trl ihm.com'proiect>/'»eciirit»/chaintt»ce’ 

(iUlewaki 2001) Zalewiki.M'ichal 2001. Strange Attnclors and TCP/IP SequciKC 
Number Analyiii liiln.Vra/nr.bindvlewjeom.'iaihli»h/Daper\'lctaeaJitml 

[Zhang 2000) Zhang. Yin. and Vem Paxon. 2000. “Detecting Stepping Slones.'' 
Proceedings oflhe 9lh Usenix Security Symposium, 2000. 
httny'wwa icir.ontt.ettVnmers.'stci»nli>ii 


Re fr rr ft co»-tl 



85 


Acronyms and Abbreviations 


ACC 

Aggir{;stc-based Congestion 
Control 

ACK 

Acknowledge(d) 

AH 

Authentication ticsder 

ANSI 

American National Standards 
Institute 

BGP 

Border Gateway Protocol 

CC 

Common Criteria 

CEF 

Cisco Express Forwarding 

CERT 

formerly Computer 
Emergency Response Team; 
now just CERT 

CISIE 

Caller Identirication Syacm 
in the Internet Environment 

CISL 

Common Intrusion 
SpeciFication Language 

CITRA 

Cooperative Intrusion 
Traceback and Response 
Architecture 

CNA 

Computer Network Attack 

CND 

Computer Network Defense 

CPU 

Central Processing Unit 

DARPA 

Defense Advartced Research 
Projects Agency 

dCEF 

Distributed CEF 

DDoS 

Distributed Denial of Service 
(a type of attack) 

DHCP 

Dynamic Host Configuration 
Protocol 


DIAP 

Defense-wide Information 
Assurance Program 

DoD 

Deportment of Defense 

DOS 

Denial of Service 

ftp 

File Transfer Protocol 

HTML 

HyperText Markup l^guage 

HTTP 

HyperText Transport Protocol 

ICMP 

Internet CotHrol Message 
Protocol 

ID 

Identification 

IDA 

Institute for Defense 

Analyses 

IDIP 

Intruder Detection and 
isolation Protocol 

IDMEF 

Intrusion Detection Message 
Exchange Format 

IDS 

Intrusion Detection System 

IEEE 

Institute of ElectricrU and 
Electronics Engineers, Inc. 

IETF 

Internet Engineering Task 
Force 

IP 

Internet Protocol 

IPSEC 

IP Security 

IPv4 

Internet Protocol, version 4 

IPvb 

Internet Protocol, version 6 

ISO 

Intenuilional Organuation for 
Standardization 

ISP 

Internet Service Provider 


Acrociytn*~l 




86 


ISP 

Internes Service Provider 

PR/rr 

Pen Register/Trap and Trace 

iTract 

ICMPTracebick 

RFC 

Request for Contmenls 

LAN 

Local Area Network 

RIO 

Remote. Inltusion. Detector 

MLSI 

Mark Left by Suspected 

Intruder 

SPIE 

STOP 

SoiBcc Path Isolation Engine 

Session Token Protocol 

MTA Mail Transfer Agent 

NAI Labs Nctwoci Associates 

SMkT 

Sleepy Watemiatk Tracing 


Ijdmratories 

Syn 

Synchraoiae 

ORNL 

Uak Ridge National 

Laboratory 

TCP 

Transmiuion Control 
Protocol 

OSl 

Open Svstems 

UDP 

User Datagram Protocol 


Interconnection 

VS. 

United States 

P2P 

Peer to Peer 

WAN 

Wide Area Netwotl 

PP 

PPM 

Protection Proftlc 

Probabilistic Packet Marking 

W3C 

World Wide Web Consoruuni 


Acrofiynw-l 



87 



« ( *<*« o n.CAM 00 MOt wn^ii tou« *o«« n> tm ««ovi aooaiu 


• 1 PI MW" nr *'Xi’ 

' •.U'tKT :>x?- 

1 •• 

4 ' ■ I 

le.r.-ijut* Jar* 

4<'l> ' H .WUI X 

I>AsVkO|-'^l ‘ 

DAkuui-o:-* iam: 

U. *44 ' W «tU • 


V '‘•P'.JkAl# 1 . t WtS ' S Wli • 1 

I>i * 1 M \k r<tlr? 

VJ ;t . ' V wai " 

iirr],-<r\N t jir\n< Iiiklrair^ 

>• '4^4 N wei • 


« >4 «M(i> 

l(»l 1 '.^ti *C.Z»t '.U 1 

IniliTutc fer tVfrriK AmKh* 

4*<(' Vti/i C cfitct r>n>t 

ig -it- 

H.imsu 

k ^ KUiic 1 jcr vt ’.vr ^ 

Orirnkc-Wiijf AltuIWKV 

1?! 5 kfirrv ^ D««ii 

( r><U.‘ <1110 4) '■ Suite flO: 
krlingt m VA 2 r?hr 

ASj)i4 HMD 


li •• ••• •» 

kppr.'sfj f;*f put'Is. rflfi« ufthmitul dittnbut>.'<i 12 kirrh o' 

I t r .(Wt •»'A4i • H. '1 j 

14 *>'.**147* 


T>ii« r*r^ «»h>u* tfshni^itri tc- t<Cf fi. »rr - ■llriS#ln-fi i>f (^iirirvirr •lUkitn '*(u’ vr ilalM 

AlX».>aiii'< .jfl tJeftneil it "JelrfrMfiiPi the ■Aefitii) ./ '^u.m ,*f an atUk-ief icjkktr t irtemif Jiir\‘ ll 
I Jwilrt iHjf ihcrr 4rc man) innhuttm irittnnjuei altfitnitj* »< it din»;utf «im 1 itiJtctcniJ* ImotrO ■n»iKiini« utiili t.' hr 
cu'tf kjX'ntt intiJcn anO p(rt^>^it»,inir{ it nctetia^ r^t an7>Kjl><'r teviintquet Vti.*v lewKnigurt ire imi~atj*e 
«tbt n.ll «ci{u.r( fu^Jing ()rpl<7>Tnr«it A ukNI Ti't! uep (• it the Iktl) w.'wkj |t< t- > ' . ti^gt Ihr Irtrsm' 'f >■• ••Mn 

ortvt.fv iL cete aBnbutnm 

* ■ 'f 

ts^efjt. 1 . t(a..r have., ikwrve Xiul. wuiie tfatki^l MicKlilt. aniKker. .thef attai.* Jt-iaI 

. ♦ »rrtK« JiM'i'NileJ dm*i » f KrtivC. Dl>.'S. vOf*niuter ortwtiek tkfeiuc. i.<irrpoiBr ncitrt*rti •tUi.k. mf 'n-.»fi,in 
*■ m^Hrtrf tCv-id) uefT*tng itnnc A-tnl>e, UurnirttJii k 'fl. tVepartmenl .’f t Jrfente. IVjU, whanj: rti« trrrxin 

pftf* 'III . till*! j iRirmrl f< 'P If iTfa.*. “-efttirk itigrttt fiUetma inirutt-m itrlrtlnn tirrann mii.hirtg irtpwt JfKigg ni{; 



14 ^4 

A»t'ti*rT 1 

~t B».-a5 

'»« ^4i«4 .* fcf !>*-^44t»gl ! **•}■.•» 

J.iltr lUr.lrt 

\ fu.lA>*:t'cO 1. fKi-uvd'tcJ lArKUaiified 

Drilii'iP.fO 1 

u 



Biography for David A. Wheeler 

Dr. David A. Wheeler has heen in the computing field since 1980, 
and is an expert on computer security, open source software, open 
standards, and software development approaches. He has worked 
at the Institute for Defense Analyses (IDA) since 1987. 

As part of his work in computer security. Dr. Wheeler led the de- 
velopment of “Key Practices” guidance to perform supply chain risk 
management in the U.S. Department of Defense. He is co-author 
of the DoD/NDIA document “Engineering for System Assurance.” 
He has written a hook (“Secure Programming for Linux and Unix 




88 


HOWTO”), written various articles (including the “Secure Pro- 
grammer” series), and given many presentations on how to develop 
secure software. His Ph.D. dissertation, “Fully Countering Trusting 
Trust Through Diverse Double-Compiling,” proves and dem- 
onstrates that the “Diverse Double-Compiling” (DDC) process (a 
process he named) counters the “trusting trust” attack. The trust- 
ing trust attack is a computer attack that previously had no effec- 
tive countermeasure. He is also the author of an IDA report sur- 
veying how to attribute cyber attackers, “Techniques for Cyber At- 
tack Attribution.” 

Dr. Wheeler lectures worldwide as an invited expert on open 
source software and/or security, including in Belgium, Brazil, Saudi 
Arabia, and numerous times in the U.S. As part of his work in 
open source software, he helped develop the official DoD memo 
“Clarifying Guidance Regarding Open Source Software (OSS)” and 
was the primary author of the supporting document “DoD Open 
Source Software (OSS) FAQ.” 

Dr. Wheeler has been involved in many efforts related to open 
standards. He represented the Missile Defense Agency (MDA) in 
the development of the DoD Information Technology Standards 
Registry (DISR), formerly named the Joint Technical Architecture 
(JTA). He also initiated and led development of OpenFormula, an 
open standard for the interchange of spreadsheet formulas which 
is planned to be part of the OpenDocument standard (ISO/IEC 
26300). 

Dr. Wheeler has long been involved in efforts to improve software 
development approaches and technology. For example, he led the 
evaluation of software development processes and software develop- 
ment environments across missile defense programs. He is the lead 
editor and co-author of the IEEE Computer Society Press book 
“Software Inspection: An Industry Best Practice” and is the sole 
author of Springer-Verlag’s book “Ada 95: The Lovelace Tutorial.” 
His more recent work has focused on how to change software devel- 
opment practices to improve the security and assurance of the re- 
sulting software. 

Chairman Wu. Thank you very much. Dr. Wheeler. 

Mr. Knake, please proceed. 

STATEMENT OF ROBERT KNAKE, INTERNATIONAL AFFAIRS 
FELLOW, COUNCIL ON FOREIGN RELATIONS 

Mr. Knake. Thank you. Chairman Wu and distinguished Mem- 
bers of the House Subcommittee on Technology and Innovation for 
the opportunity to discuss the role of attack attribution in pre- 
venting cyber attacks. My name is Rob Knake. I am an inter- 
national affairs fellow at the Council on Foreign Relations where 
I have spent the last year studying state conflict in cyberspace, so 
I will focus my comments on the attribution problem at that level 
first. 

It is my view that the problem of attribution has been largely 
overstated. For the high-end threats that my work is focused on, 
attribution will almost certainly be possible due to the limited 
number of actors that possess the capability to present a national 
security challenge in cyberspace. While we have all heard tales of 
teenagers with laptops sending viruses across the Internet, these 



89 


sorts of threats do not amount to a national security concern and 
cannot cause the type of havoc that many envision a cyber attack 
can. Estimates vary, but analysts who have studied the capabilities 
of both foreign governments and private groups have concluded 
that no more than 100 groups and possibly as few as four foreign 
militaries possess the capability to cause real-world harm through 
cyber attacks. Moreover, such an attack would take significant in- 
vestments of both time and money and teams of highly skilled spe- 
cialists. While technical attribution may only provide limited evi- 
dence of who was behind the attack, traditional intelligence and 
law enforcement investigation can make up the difference. I have 
no doubt that in the event of a so-called cyber Pearl Harbor, cyber 
9/11 or cyber Katrina, that we will be able to amass enough evi- 
dence for the President to take action. 

For lower-level threats, everything from nuisance behavior like 
spam to cyber criminal activity, many in the cybersecurity commu- 
nity have viewed the development of ironclad attribution in real 
time as the Holy Grail. In one widely discussed scenario, all pack- 
ets could be labeled with a unique identifier that would tie it to an 
individual, a so-called license plate for the Internet. It is my view 
that such a concept would be far more useful for authoritarian re- 
gimes to monitor and control Internet use by their citizens than it 
would be in combating cyber warfare, crime and nuisance behavior. 
Criminals would find ways around this tracking mechanism while 
average users would experience a near-total loss of privacy. More- 
over, such attribution would in no way force noncooperative re- 
gimes to cooperate in investigating cyber crimes. 

As the title of my written testimony suggests, instead of focusing 
on attribution, we need to move to accountability in cyberspace. 
Noncooperation in investigating international cyber attacks should 
be taken as a sign of culpability. States must be held responsible 
for securing their national cyberspace and should have an obliga- 
tion to assist when their citizens or systems within their county are 
involved in a cyber attack. 

Chinese government officials will often protest and lay the blame 
their country receives in the western press for cyber espionage 
against both government and corporate attacks by suggesting that 
the systems the attacks are traced to are simply compromised prox- 
ies that have been used to mask the identity of the real attackers. 
They will also suggest that systems in their country are used just 
disproportionately in these attacks because of the poor state of 
cybersecurity due to the widespread use of pirated software and 
low installation rates for even the most basic software security. 
This scenario may very well be plausible but even if true, I would 
argue that it is no longer an acceptable excuse. We need to move 
to a situation in which countries not only assist in investigating 
but also have mechanisms in place to shut down systems that are 
controlling attacks or participating in botnets. Failure to assist 
should be treated as complicity. 

Let me conclude with a comment on the issue of deterrence. 
Much ink has been spilled trying to make the Cold War construct 
of deterrence applicable in cyberspace but I believe the results of 
these efforts are unpersuasive. Deterrence during the Cold War 
was predicated on mutual assured destruction. While better attri- 



90 


bution can let us know who is attacking us, most potential adver- 
saries do not have as heavy reliance on network technologies in 
their industries, government or militaries. Thus, in order to retali- 
ate in any significant way, we would be forced to escalate out of 
the cyber domain and conduct kinetic attacks. That is not a situa- 
tion we want to be in, and the threat to do so may be perceived 
as incredible, this limiting its deterrent factor. Instead, we need to 
focus on improving our defenses and making investments to secure 
our portion of cyberspace. 

Thank you very much. 

[The prepared statement of Mr. Knake follows:] 

Prepared Statement of Robert K. Knake 

Untangling Attribution: Moving to Accountability in Cyberspace 

Chairman Wu, Ranking Member Smith, and distinguished members of the House 
Subcommittee on Technology and Innovation, thank you for the opportunity to dis- 
cuss the role of attack attribution in preventing cyber attacks and how attribution 
technologies can affect the anonymity and the privacy of Internet users. In your let- 
ter of invitation, you asked me to address the following series of questions: 

1. As has been stated by many experts, deterrence is a productive way to pre- 
vent physical attacks. How can attack attribution play a role in deterring 
cyber attacks? 

2. What are the proper roles of both the government and private industry in 
developing and improving attack attribution capabilities? What R&D is need- 
ed to address capability gaps in attack attribution and who should be respon- 
sible for completing that R&D? 

3. What are the distinguishing factors between anonymity and privacy? How 
should we account for both in the development and use of attribution tech- 
nologies? 

4. Is there a need for standards in the development and implementation of at- 
tack attribution technologies? Is there a specific need for privacy standards 
and if so, what should be the government’s role in the development of these 
standards? 

Attributions Role in Deterring Cyber Attacks 

Let me begin by stating my view that the utility of deterrence in cyber security 
may be limited and that the problem of attribution has been over-stated for the high 
end threats that represent a challenge to our national security. In its classic usage, 
deterrence is the idea of using fear of reprisal in order to dissuade an adversary 
from launching an attack. For deterrence to work, it is critically important that we 
know who has carried out the attack and thus attribution is a central component 
of deterrence strategy. I believe it may be too broad to view deterrence as a produc- 
tive way to prevent all kinetic attacks. Deterrence was the central concept in pre- 
venting a nuclear exchange between the United States and the Soviet Union during 
the Cold War. It is not, however, a central part of U.S. strategy to prevent terrorist 
attacks and its importance in preventing conventional military attacks is more lim- 
ited than in the nuclear case. During the Cold War, deterrence of the use of nuclear 
weapons was created through the establishment of “Mutually Assured Destruction” 
or MAD, in which both the United States and the Soviets understood that any use 
of nuclear weapons would be responded to in kind. The threat of total annihilation 
kept both sides at bay. Radar and other warning systems provided the mechanism 
for attributing any nuclear attack and possession of a second strike capability that 
could provide a nuclear response even after a successful Soviet launch kept the 
threat of retaliation credible. Equally important, however, was symmetry. 

The Soviets as rational actors did not want to see the loss of their cities, industry, 
and regime in a retaliatory nuclear strike. As long as we had the ability to hold 
these assets under threat, a Soviet strike against us would not be to their advan- 
tage. Such parity does not exist in cyberspace. Attribution may be a secondary prob- 
lem to the lack of symmetry. Many countries that possess sophisticated offensive ca- 
pabilities do not have extensive societal reliance on the Internet or networked sys- 
tems. If attribution could be achieved, deterrence might not follow because a state 
conducting an attack in cyberspace, may have little to lose through retaliation. The 



91 


logical solution to this problem is to threaten retaliation through diplomatic or ki- 
netic means outside of cyberspace, responses that could range from the imposition 
of sanctions to airstrikes. Thus far, despite the onslaught of attacks in cyberspace, 
no country has chosen to escalate their response outside of cyberspace. Moreover, 
it may be difficult to achieve proportionality in response to a cyber attack through 
other means. Deterrence may simply not be a useful concept to address our current 
state of cyber insecurity. 

If deterrence is to be a central part of our cyber security strategy, I believe it is 
essential that we can answer three questions: First, what degree of certainty in at- 
tribution is necessary to take action? Second, what would that action look like? 
Third, how will we make potential adversaries understand the answers to these 
questions prior to an incident so that they will be deterred? To begin, I think it is 
important to breakdown the attribution problem in cyberspace. There are three 
broad categories of attack that have their own distinct attribution problem. The first 
attribution problem, the one on which most attention is focused is the attribution 
problem for attacks carried over the Internet. These attacks are difficult to deter 
because of the underlying architecture of the Internet, the lack of security on many 
hosts, and because the individuals or teams carrying out these attacks can do so 
remotely, from the safe confines of a non-cooperative country. The second attribution 
problem is for cyber attacks that are not carried over the Internet. Potentially, 
many of the most dangerous forms of cyber attacks will be carried out against sys- 
tems that are not connected to the internet through other delivery mechanisms in- 
cluding attacks using microwave or other radio transmissions, thumb drives, and 
other portable media like CDs and DVDs. For these attacks against well-defended 
military and industrial systems, the attribution problem is similar to the attribution 
problem for kinetic attacks and can be addressed through real world forensics, in- 
vestigation, and intelligence. Finally, there is the problem of attribution for the in- 
troduction of malicious code in the supply chain for hardware and software. The 
threat to the supply chain may be the area of most concern today, yet the attribu- 
tion problem for the insertion of malicious content into software and hardware is 
no different from a traditional investigative challenge to identify the opportunity 
and the motive for inserting malicious content (see Figure 1 for a visual representa- 
tion of these challenges). 




Figure 1: The Attribution Problems 

With the exception of flooding attacks, all other forms of Internet-based cyber at- 
tack require two way communication between the attacking computer and the vic- 
tim computer. Sophisticated adversaries will take steps to obfuscate their true loca- 
tion and identity through the use of proxy systems, whether they are compromised 
computers or anonymization services or both. Despite these precautions, trace back 
techniques and digital forensics can provide the technical means to allow the 
attackers to be discovered. The barriers to the use of these techniques are more 
legal than technical, due to international boundaries and non-cooperative countries. 
If we breakdown the various threats carried over the Internet, the scope of the attri- 
bution problem can be brought into focus and different solutions for managing each 
threat begin to emerge. 

Attacks can be divided into the following categories ordered by the threat they 
pose: cyber warfare, cyber espionage, brute force attacks, crime, and nuisance. For 
each of these, both the attribution problem and the issue of response are different. 
For the highest level threat, that of cyber warfare, the attribution problem is largely 
overstated. As with other Internet based attacks, technical attribution may be dif- 
ficult and the forensics work will take time, but at present there are a limited num- 
ber of actors that are capable of carrying out such attacks. Moreover, the resources, 
planning, and timeline for such attacks would provide many opportunities to iden- 
tify and disrupt such attacks. Estimates vary, but on the low end, many experts be- 
lieve that only four countries possess the capability to carry out a catastrophic at- 










93 


tack in cyberspace, the so-called Cyber Pearl Harbor, Cyber 9/11, or Cyber Katrina. 
On the high end, up to 100 state actors and private groups closely affiliated with 
state actors may have the capability. No matter which estimate is accurate, this is 
a fairly small list of suspects that can be narrowed down through technical means, 
as well as out of band methods that include intelligence, analysis of capabilities and 
analysis of intent. If not already a priority, U.S. intelligence agencies should be fo- 
cused on identifying actors with high-level capabilities and understanding their in- 
tentions. While it has become a truism that hacking tools can be downloaded off the 
Internet and used by an individual with little or no technical skills, these tools do 
not pose the kind of threat that could cause widespread destruction. If the operators 
of critical systems cannot defend against such attacks, they are not taking the 
threat seriously. As the relevant technologies continue to evolve, it is important that 
the difficulty in carrying out significant attacks increases. Our critical industries, 
military and government agencies must continue to raise their defense levels in 
order to keep the ability to cause destruction in the hands of a limited number of 
state actors. 

In the event of a catastrophic cyber attack, attribution to at least some level will 
almost always be possible. The question becomes to what level of certainty must at- 
tribution be demonstrated in order for the President to take action? At the lowest 
level, attribution that traces an attack back one hop can provide the foundation for 
further investigations. If that first hop is in a non-cooperative country that is un- 
willing to assist in the investigation, that may be enough evidence to hold that coun- 
try accountable. As with the 9/11 attacks when the Taliban refused to turn over 
Osama Bin Laden, it may be appropriate under such circumstances to hold a non- 
cooperative country accountable, a concept I will return to later in this testimony. 

On the issue of espionage, the capability necessary for network exploitation is 
generally lower than that required for destructive attacks, particularly in the realm 
of economic espionage where private sector companies are targeted. What we lack 
is not so much an ability to attribute attacks, but international norms that keep 
espionage limited. Espionage is generally recognized to be permissible under certain 
circumstances and many scholars will argue that it has a stabilizing effect on the 
international system by reducing paranoia. As has been recently demonstrated by 
the discovery of a Russian spy ring in the United States, engapng in espionage is 
not necessarily considered a hostile act and can be resolved without further esca- 
lation. The challenge with cyber espionage is that we lack norms that limit the ex- 
tent to which states engage in it. This problem is exacerbated by the fact that cyber 
espionage is not constrained by the costs, consequences and limitations of tradi- 
tional espionage. 

By way of example, consider the case of Robert Hanssen, a former FBI agent who 
spied for the Soviets and then the Russian Federation for over two decades. Over 
that period, Hanssen smuggled several hundred pages of classified material to the 
Russians, who paid him several hundred thousand dollars and maintained a net- 
work of handlers in order run this operation. Hanssen paid a heavy price for his 
betrayal. Having been sentenced to life in prison, he spends 23 hours a day in soli- 
tary confinement at a Supermax Facility and is addressed by the guards only in the 
third person (“the prisoner will exit the cell.”) The American spies he betrayed in- 
side Russia were not so lucky. Most were executed. During the Cold War, spying 
had consequences. Now, according to public media reports, foreign intelligence agen- 
cies have exfiltrated several terabytes of information from U.S. government systems. 

Whatever country or countries are behind this espionage campaign, the people 
who are carrying it out are working safely from within the borders of their own 
country at little risk of being discovered or imprisoned. The low cost and low risk 
of cyber espionage is the problem, not the difficulty in attributing the source of the 
activity. If ironclad proof emerged of who was behind an incident of cyber espionage, 
what would the U.S. response be, particularly given the likely intelligence advan- 
tages that the United States gains from cyber espionage? It may be time that we 
recognize cyber espionage to be a different phenomenon from traditional espionage, 
one that requires a different set of norms and responses. I doubt, however, that we 
lack sufficient certainty of who is behind these campaigns that we are limited in 
our response simply because we do not know who is carrying them out. 

Brute force attacks, so called distributed denial of service attacks or DDOS at- 
tacks, do present a specific technical attribution challenge. During these attacks, 
compromised systems formed into a botnet flood targets with large numbers of pack- 
ets that do not require the targeted system to respond. The malware behind these 
attacks will provide false information on the source of the packets, so that the ma- 
chines sending the packets cannot be identified. This particular problem is due to 
the trusting nature of the internet protocol which does not provide any security 
mechanism to keep this information from being falsified. To deter DDOS attacks. 



94 


it may be necessary to strengthen the Internet Protocol so that attacks can be 
traced to the computers that are part of the attacking botnet, and from their to the 
command and control servers and potentially to the botnet master himself. It may 
be equally productive to simply locate compromised computers participating in the 
attack and shut these down. 

For crime, the goal of attribution is to aid in investigation and result in criminal 
prosecution. Attribution is therefore necessary in the first instance to direct where 
an investigation should be targeted and for this first step, attribution needs to rise 
to the level sufficient for ‘probable cause’ to initiate the investigation. This first level 
of attribution may only need to lead to a system, not to an individual and an IP 
address is often times all that is sufficient. In turn, the investigation will need to 
establish attribution to an individual or group of individuals for the purpose of pros- 
ecution. For prosecution to be successful, attribution will need to rise to the level 
of guilt beyond a reasonable doubt. In between, there is the potential to pursue 
criminals through civil litigation, in which case the standard for attribution would 
be lower, and guilt would be assigned based upon a preponderance of the evidence. 
The problem is that currently, many countries lack both the legal framework and 
resources to pursue cybercrimes committed by their citizens or that use systems 
within their territory that target victims in another country. Even crimes committed 
by individuals in the United States against individuals in the United States will 
make use of intermediary systems in other countries, particularly those that are not 
likely or able to cooperate with an investigation. What is needed to deal with the 
problem of crime is not better attribution but stronger legal mechanisms for working 
across international borders, the ability to shutdown attacks as they are taking 
place, and more investigative resources. Ultimately, there must be penalties for 
states that do not cooperate in investigations and do not take steps to secure their 
portion of cyberspace. 

For nuisance attacks, attribution is rarely a problem. The problem is that few if 
any investigative resources are assigned to cyber criminal activity that does not 
have a high monetary value associated with it. This is a situation in which the im- 
pact of the crimes committed is fairly low but the resources necessary to address 
them are high given the volume of the problem. As an example, look at the problem 
of SPAM. The 2003 CAN-SPAM Act requires spammers to provide accurate header 
information and to provide an opt-out method for recipients so they can choose not 
to receive future methods. Yet nearly a decade later, SPAM is flourishing as 9 out 
of 10 emails are SPAM. For most of these messages, the organization that sent the 
message is identifiable because they are selling a product. What we lack is an en- 
forcement method that fits this problem, one that is focused on stopping the nui- 
sance behavior rather than prosecuting those who are behind it. Similarly, nuisance 
level network attacks, the type that can be initiated through downloads off the 
Internet, are rarely investigated and prosecuted yet they distract system adminis- 
trators and computer response teams from higher level threats. Investigating and 
prosecuting more of this behavior could deter many of the people who engage in it. 

For most of these threats, the challenges are not so much related to attribution 
as they are to resources and international cooperation. Focusing on deterrence may 
simply be the wrong way to think about how to handle these problems. The threats 
are materializing every day, making the abstract theorizing that laid the foundation 
for deterrence in a nuclear confrontation unnecessary. They are also, in every re- 
spect, a lower level concern that in no way threatens the existence of the United 
States. Instead we should focus in two areas. We need to reduce the scale of the 
problem by stopping threats as they unfold and by reducing the vulnerabilities that 
the threat actors make use of in their attacks. An investigative and enforcement ap- 
proach to all problems is simply not tenable. Instead of trying to trace every inci- 
dent back to a human user, we need to develop a legal framework for stopping at- 
tacking systems. We must move beyond treating intermediary systems as victims, 
and start viewing them as accomplices. In the United States, such a framework 
could require ISPs to monitor their network for compromised systems that have be- 
come parts of botnets and quarantine those systems until the problem is resolved. 
Similarly, we need mechanisms that allow companies or individuals that are under 
attack and have traced the attack to a system or systems to request for those sys- 
tems to be shutdown. This process needs to take place quickly and mechanisms 
must be developed to authenticate such requests across international borders. Such 
a framework, if developed in the United States, could be promoted as a global 
model. 

For higher end threats, there are lessons we can learn from the last decade of 
dealing with terrorist threats. The key is to move beyond the search for perfect at- 
tribution and instead hold states that do not cooperate accountable. Currently, the 
situation can be summed up like this. When an attack is traced to another country 



95 


that is not cooperative, the investigation dead ends. If that country is Russia, Rus- 
sian authorities will typically say that the incident was carried out either by patri- 
otic hackers or cyber criminal groups that the Russian government cannot control. 
If that country is China, Chinese officials will point out that China is often the vic- 
tim of cybercrime and that do to the poor security on many Chinese systems, they 
are often compromised in an effort to cast blame on China. In both cases, national 
sovereignty will be raised to explain why cooperation cannot be more forthcoming. 

To move beyond this stalemate, the United States should make public a position 
that treats failure to cooperate in investigating a cyber attack as culpability for the 
attack. Countries should know that they can choose to have the incident treated as 
a law enforcement matter by cooperating in the investigation or choose not to co- 
operate and have the incident treated as a hostile attack for which their country 
will be held accountable. Over the last decade the concept of state sovereignty has 
evolved so that sovereignty not only comes with rights in the international system 
but also responsibilities. The evolution of this concept is due to events in one of the 
least wired parts of the world: the Hindu Kush. 

In 1999, Michael Sheehan, the U.S. Ambassador at Large for Counterterrorism 
delivered a demarche over the phone to the Taliban’s foreign secretary. The message 
was clear: as long as the Taliban continued to harbor and support al Qaeda and 
its leaders, the United States would hold the Taliban responsible for any al Qaeda 
attacks against the United States or other countries. To drive home the point, 
Sheehan used an analogy. He told the Taliban’s representative: “If you have an ar- 
sonist in your basement; and every night he goes out and burns down a neighbor’s 
house, and you know this is going on, then you can’t claim you aren’t responsible.” 
The United States made good on Ambassador Sheehan’s word after 9/11, and as the 
international community attempts to address failed states that cannot control their 
borders or police their internal territory, this new concept of sovereign responsibility 
is taking hold. 

Applying this new concept of sovereignty to cyberspace has its merits. As with al 
Qaeda in Afghanistan, failure of a state to prevent its territory from being used to 
stage an international cyber attack should not, in and of itself, constitute a violation 
of state responsibility. Indeed, a world in which states monitor and constrain citizen 
activities to prevent crimes before they take place would be a very frightening 
world. What is crucial, however, is how states respond when confronted with the 
use of systems within their territory for cyber attack. If the Taliban had responded 
to requests to turn over bin Laden, the invasion of Afghanistan might never have 
occurred. Based on this new paradigm of sovereignty, states should be expected to 
pass laws making international cybercrime illegal and enforce them. They should 
have mechanisms in place to respond to international requests for assistance and 
they should have some ability to oversee the hygiene of their national networks. 
Better attribution through post-incident forensic techniques will be a crucial part of 
this new paradigm, but the development of ironclad attribution, will not necessarily 
lead to better security in cyberspace. 

The Role of Government and Private Industry in Improving Attack Attribution 

In order to improve attack attribution, there are many things that can be done 
with current technolo^. The most crucial is for both government and private indus- 
try to do a better job detecting significant threats, mitigating them quickly, and cap- 
turing evidence that can be used by law enforcement for investigative purposes. Fo- 
rensic techniques are getting better, but there are genuine civil liberties concerns 
with them getting too good. 

The vision of perfect attribution can best be summed up as the idea of giving 
packets license plates. Under such a system, compromised systems or other proxies 
could not be used to hide the identity of attackers because each packet would be 
labeled with a unique identifier, possibly an IPv6 address that has been assigned 
to an individual after having that individual’s identity authenticated in some 
verifiable way. Access to the network would require authentication, and each packet 
produced by the user would be traceable back to that user. The privacy implications 
of such a system would be obvious, turning the Internet into the ultimate tool of 
state surveillance. The security benefits for pursuing criminals and state actors, 
however, would be minimal. Without cooperation from all foreign states, criminal 
activity will simply gravitate to states that do not authenticate identity before 
issuing identification numbers or choose not to participate in the system at all. 
Many states benefit tremendously from cybercrime, both directly through the cash 
it brings into economies, and indirectly through the bolstering of technology develop- 
ment through the theft of intellectual capital. Moreover, for less capable states, 
cybercrime provides the necessary cover of darkness for espionage to take place. By 
cracking down on cybercriminal groups, the activities of state actors would stand 



96 


out starkly. Ultimately, such a system would restrict the freedom and privacy of 
most users, while doing little to curb criminal elements or state actors who would 
find ways around the system. 

As a baseline, of what we should expect from digital forensics, it may be instruc- 
tive to look at the role forensics plays in the real world. Many people have become 
familiar with modern forensics techniques through the popular series CSI and its 
spinoffs, television shows about real-world crime scene investigators. Each episode 
begins with a body. The crime scene investigators come in and walk the scene col- 
lecting forensic evidence and then take it back to the lab and process it for clues. 
This activity takes us to the first commercial break in an hour-long drama. The 
forensics have yielded clues about who the victim was, how he or she was killed, 
and possible attributes of the killer. Then the detective work begins. The detectives 
try and establish a motive. They delve into the past of the victim. They ask them- 
selves who would have wanted the victim dead? They ask a lot of questions of a 
lot of people. On television, this process is packed into an hour. In the real world 
it can take days to weeks, months and years. 

Cyberspace isn’t so different from the real world. We have digital forensic tools 
and trace-back techniques that in the latest incident with Google, allowed the com- 
pany to conclude that the attacks emanated from China. We can’t know more than 
that without some good old-fashioned investigative work but we can ascertain mo- 
tive based on what systems were infiltrated and what data was stolen. We can nar- 
row down the list of possible suspects by geography. We can further narrow down 
the set by capability. Only so many people in the world have the ability to put to- 
gether the kind of code used in the hack. We also know whoever built the exploits 
wasn’t working alone. That’s enough leads to get an investigation going in the real 
world, and it is also enough in cyberspace. 

While the Google case illustrates the attribution “problem”, it also illustrates the 
need for Internet Freedom, something the Chinese government is trying to erode. 
Our law enforcement community might want ironclad attribution on the Internet to 
combat cyber crime, but the Chinese government and other authoritarian states 
want it to combat speech. We may want to know who carried out the hacking of 
Google but we also want to protect the identity of anonymous posters in online fo- 
rums about Chinese human rights. 

Creating the perfect surveillance state online is within our technical means. In 
real-world equivalents, we could label each packet with its digital DNA, tying it to 
a single real-world person, and recordings of everything that goes on so we can play 
back the tape. But cyberspace isn’t so different from the real world, especially since 
more and more of what we used to do by walking we now do online. If we don’t 
want to live in a surveillance society out here, we also do not want to live in one 
in cyberspace. The tools for digital forensics are getting better. We don’t want them 
to get too good. What the Google incident really demonstrates, isn’t a technical prob- 
lem; it’s a legal and diplomatic one. We lack norms for acceptable behavior by states 
in conducting espionage online and we lack agreements between states to partner 
in pursuing cross-border cyber criminal activity. Better surveillance wouldn’t solve 
that problem. 

In two narrow areas, government and private sector technology companies should 
collaborate to improve two of the basic protocols that govern internet transactions. 
First, government and industry must work together to develop a secure version of 
the basic internet protocol that authenticates the “from” information contained in 
packet headers. In distributed denial of service or DDOS attacks that do not require 
the return of information, the ability to supply false sender information makes it 
difficult to trace and block such attacks. Similarly, the underl3dng protocols for 
sending email allow an individual to spoof the identity of a sender so that someone 
with malicious intent can send email appearing to be from a bank, a friend, or a 
work colleague. This weakness is typically exploited in social engineering attacks in 
order to get the recipient to click on a link that will download malware or send back 
sensitive information. These problems are well known and well documented. After 
more than two decades, I believe it is safe to conclude that the informal, consensus- 
based processes used by the Internet Engineering Task Force to develop and adopt 
new protocols will not solve these problems. The Federal Government must step in, 
lay out the challenge, and lead the development and adoption of protocols that solve 
these problems. An “X-prize” strategy might prove useful in this context. 

Privacy and Anonymity in Resolving Attack Attribution 

In the early days of the Internet, anonymity was how privacy was obtained when 
online. As a general trend, anonymity on the web is eroding for most users due to 
the interactive nature of current web content but new ways of protecting privacy 
have not developed, at least not for the average user. In terms of protecting privacy. 



97 


anonymity is only useful in a “web 1.0” context. In the web 1.0 era, users were pas- 
sive recipients of information posted to the web. Anonymity on the web is still useful 
for accessing information that you do not want others to know you have accessed, 
whether it be pornographic material or information on democracy if you live under 
an authoritarian regime. Increasingly, however, access to information is not what 
the Internet is being used for. Managing health records and finances and commu- 
nicating online cannot be done anonymously. What is needed is privacy, something 
that does not currently exist on the web that must be created through both technical 
and legal mechanisms. 

Most of the so-called “free” web is funded through advertising, and advertising is 
increasingly targeted to individuals based on information collected about them from 
their IP address and from various types of cookies placed on their computers when 
they access sites. By the time my homepage at the nytimes.com has loaded, a total 
of 12 cookies have been loaded onto my computer, including “flash cookies” that can- 
not be deleted through standard browser settings. While some of these cookies are 
used to authenticate my username and password on the site, the vast majority are 
for advertising, meant to track my use of the internet in order to target advertising 
at me. Companies sell geo-location services that use IP information to determine 
where you live so that advertising can be targeted at you for local services. By de- 
fault, my browser, my computer, and the websites I visit are set to allow all this 
to happen without me knowing it. Advanced users may have the skill set and the 
motivation to set their browser settings and take other steps to avoid privacy loss 
but most users do not. 

At present, only the technically sophisticated, be they law-abiding citizens con- 
cerned with their civil liberties or criminal actors, can obtain anonymity, while the 
average Internet user experiences a total loss of privacy. As the technology develops 
to improve attribution, we need to ensure that our laws develop to protect their use, 
both by government and by the private sector. These points to the need for govern- 
ment intervention to require companies that collect information online and track 
users to be explicit about what they are doing. Surrendering your privacy online in 
exchange for “free” access to information should not be something that happens be- 
hind the scenes, but an explicit decision that users make. The equivalent of the Sur- 
geon General’s warning, something short, explicit, prominent and standard should 
be displayed on sites that use privacy compromising methods to generate adver- 
tising revenue. 

In order to protect private communication online, we need to implement both tech- 
nical solutions and stronger legal protections for the content of communication. 
While law enforcement and intelligence agencies are restricted from accessing pri- 
vate information without due process, private sector entities and criminals have far 
fewer barriers. The average home users email messages are not secured end-to-end 
through encryption, and the laws that protect the intercept of these messages are 
far weaker than those that protect regular mail. 

Taken together, these steps would replace the loss of anonymity that was the 
foundation of privacy on the early web, with privacy for all activities carried out 
over the Internet, including transactions and two-way communication. 

Standards Development for Attack Attribution and Privacy 

As stated previously, I believe it is necessary for the U.S. government to work 
with the Internet engineering community to address known problems in the current 
suite of protocols. In my view, these problems are both limited and correctable but 
both funding for development and incentives for adoption post-development are nec- 
essary. The goal should not be to create ironclad attribution that would turn the 
Internet into the ultimate tool of the surveillance state. Rather, the end state should 
be protocols that prevent the spoofing of IP addresses and email. 

On privacy standards, I believe that it is government’s role to protect the privacy 
of individual users. Government must stop assuming that consumers have all the 
information they need to make informed decisions about privacy. The goal of govern- 
ment intervention in this area should be to make the decision to surrender privacy 
in exchange for access to information and services a transparent decision. Websites 
should be required to notify users if access requires the installation of cookies that 
will track users for the purpose of targeting advertising. Many if not most users 
may make the decision to surrender their privacy for access to so-called “free con- 
tent”. Others may choose a pay option. Still others may seek out content that nei- 
ther costs privacy or dollars. 

These two issues overlap for Internet Service Providers. The activity of ISPs is 
largely unregulated in the United States. For ISPs, attribution on their networks 
is not a problem: they can see malicious activity and trace it back to a customer. 
When evidence of the next jump on a host has been deleted, ISPs are often able 



98 


to trace the next hop of packets. Standards are necessary for what ISPs should and 
should not be required to track, for how long they should store such information, 
and how this information can be shared with law enforcement or private parties. 

Finally, we need standards for the operation of anon 3 Tnity services. Services like 
Hotspot Shield, Tor, and others provide a valuable service to many Internet users, 
particularly those living under authoritarian regimes where accessing certain 
websites may not be possible or may be tracked in order to identify dissidents. Yet 
these same systems can be used for criminal purposes. Standards are necessary for 
regulating these services and they must be promoted internationally. These services 
provide anonymity, which, as previously discussed, is only useful for accessing infor- 
mation sources and anonymous posting activity. These services should therefore re- 
strict their users to web-based activity. They should also make it easy for companies 
and government agencies to block the outbound IP addresses to prevent users that 
have gained anonymity from attempting to access secure systems. If you are tr 3 dng 
to access your own bank account online, there is no legitimate reason to use an 
anonymization service. Finally, these services should retain auditable logs for law 
enforcement purposes. Users should understand that this information will be kept 
private, and only released if the service has been used for criminal purposes. Ulti- 
mately, as with states, anonymization services should be held accountable for their 
users’ behavior if they do not cooperate with law enforcement. 

Conclusion 

As I have expressed throughout this testimony, it is my view that the problem 
of attribution has been largely overstated. Ironclad or perfect attribution would not 
address the problems of cyber warfare, espionage, crime or other threats in cyber- 
space. Such a capability would, however, be injurious to freedom of expression and 
access to information for many people around the world. Stronger mechanisms for 
international law enforcement cooperation are necessary, as is the ability to stop at- 
tacks in progress, and improvements to the general hygiene of the Internet eco- 
system. More than anything else, we need to develop better and stronger options 
for responding to threats in cyberspace and introduce consequences for states that 
do not cooperate in stopping attacks or in investigating them. Finally, we need to 
move beyond anonymity as the guarantor of privacy on the Internet and instead 
work to create privacy through both technical means and legal requirements. Thank 
you for the opportunity to testify on these important issues. I would be happy to 
answer any questions at this time. 

Biography for Robert K. Knake 

Robert K. Knake is an international affairs fellow in residence at the Council on 
Foreign Relations studying cyber war. He is currently working on a Council Special 
Report on internet governance and security. Prior to his fellowship, he was a prin- 
cipal at Good Harbor Consulting, a security strategy consulting firm with offices in 
Washington, DC; Boston, MA; and Abu Dhabi, UAE, where he served domestic and 
foreign clients on cyber security and homeland security projects. Rob joined Good 
Harbor after earning his MA from Harvard University’s Kennedy School of Govern- 
ment. He has written extensively on cyber security, counterterrorism and homeland 
security issues. He is co-author (with Richard Clarke) of Cyber War: The Next 
Threat to National Security and What To Do About It (HarperCollins, April 2010). 

Chairman Wu. Mr. Giorgio. 

STATEMENT OF ED GIORGIO, PRESIDENT AND CO-FOUNDER, 
PONTE TECHNOLOGIES 

Mr. Giorgio. Good morning. My name is Ed Giorgio and I am 
the President of Ponte Technologies. Let me begin by commending 
Chairman Wu and Committee Members for looking into this impor- 
tant matter. Having personally spent a career in science and tech- 
nology and having witnessed numerous R&D innovations that im- 
prove the quality of our lives, economic livelihoods, security and 
privacy, I am confident that this Committee will undertake the 
proper initiatives to solve long-term and extremely difficult prob- 
lems such as the one we face with cyber attack attribution. 



99 


Post-attack attribution today is not effective and the protocols we 
have today are insufficient to provide it. The recent attacks on 
Google are neither new or surprising. What is new is the extensive 
publicity they generated, but despite all this publicity, and a con- 
vincing that they were perpetrated by a state-sponsored actor in 
China, the rate of such cyber attacks coming from China has not 
decreased. Current attribution capabilities are clearly no deterrent. 

We envision transitioning to a multi-protocol Internet infrastruc- 
ture where service is offered over DoD network segments and sen- 
sitive commercial and financial networks would require trans- 
mission using new protocols that have accountability and attribu- 
tion built into their design. On such networks, attack attribution 
would meet the requirements for legal evidence without giving 
away sensitive sources and methods. Other less-sensitive services 
might be offered over network segments such as Radio Free Amer- 
ica, which allow or indeed welcome interaction with anonymous en- 
tities. This is another case where the current protocols are lacking. 
They have little support for anonymity or for real flexibility in how 
much personal information is revealed in a transaction. Each cit- 
izen should have access to a certificate or other token that uniquely 
identifies the holder along with others that provide less or even no 
identity information. It should be possible to acquire as many such 
identity certificates as are needed to support multiple online roles. 
Some organizations already provide physical analogs in the form of 
prepaid credit cards or anonymous pay-as-you-go cell phones. 

As Americans, we fiercely defend our right to privacy and secu- 
rity and subsequently create a vision where we achieve both simul- 
taneously. But transparency is also important. Indeed, one might 
argue that the history of human social development and even evo- 
lution was driven by transparency of action, but we have witnessed 
three transformations brought about by technology that are having 
profound impact on human behavior, from attributable to anony- 
mous, from discoverable to forever hidden, and from understand- 
able to magical. Wherever we lost transparency, whether into gov- 
ernments, corporations or individuals, bad actors eventually 
emerged and violated our trust and our laws. 

The threat comes from all these actors, many of whom are be- 
yond the reach of our American courts, whether it is the Chinese 
stealing our American innovations to produce less-expensive 
versions, the Russians engaging in financial crimes, the Israelis 
stealing our political intentions, the French dealing our competition 
sensitive materials, the Nigerians conning our elderly and so on. 
Closer to home, we face the same threats from within our borders. 
In the past, gross violations of domestic civil liberties were justified 
by reference to foreign threat. These are very dangerous constitu- 
tional grounds we tread and the gravity of the legal and constitu- 
tional dimensions cannot be trivialized. 

So in conclusion, my comments are not focused on promoting 
what the ideal balance between privacy and security should be but 
rather a challenge to those embracing the utopian view that both 
may be simultaneously within our grasp. While we continue to in- 
sist that private information remains just that and that anonymous 
persona will be supported, the existence of a trusted third party 
may be the only way to ensure that. In my opinion, government 



100 


has not yet earned the necessary trust to perform this role and we 
will require a lot more transparency and oversight before giving 
that trust. 

Thank you very much, and I would be happy to answer any ques- 
tions. 

[The prepared statement of Mr. Giorgio follows:] 

Prepared Statement of Edward J. Giorgio 
1. Answers to Committee Questions 

1.1 Is Attack Attribution a Deterrent? 

Question 1: As has been stated by many experts, deterrence is a productive way 
to prevent physical attacks. How can attack attribution play a role in deterring 
cyber attacks? 

Attack attribution is much easier in physical space, but also possible in cyber 
space. One of our goals is to discover who is attacking us, not whose computer sys- 
tems they are using to launch their attack, or where geographically those systems 
are located. However, even this is not enough for a diplomatic or public opinion de- 
terrent. Consider for instance the recent attacks on Google. There is little doubt that 
these were perpetrated by a state-sponsored actor in China, but has the attendant 
publicity done anything to reduce the number of cyber attacks coming from China? 

Attack attribution is an essential part of our overall situational awareness and 
emergency response measures. For example, we can use attribution to shut down 
or otherwise protect ourselves from attacks in progress. We can even stop a DDoS 
attack without attribution as to the initiator of the attack. We just need to stop 
where it is coming from. However if attribution is to have any value as a deterrent 
then it needs to be both irrefutable and able to be revealed to the world without 
compromising privileged information or intelligence assets. In some cases you can 
show China was a transit point for an attack and didn’t stop it; this has value too. 

Current technologies allow us some level of attribution, most of which is plausibly 
deniable. Attribution can sometimes be made irrefutable by combining what is pub- 
licly known with the resources available to an intelligence agency such as NSA or 
the FBI, but this is rarely releasable beyond government circles — much less to the 
attacker — and thus has little if any value as a deterrent. There is also the option 
of turning it into a U.S. State Department demarche to the offending country, but 
even this has pitfalls (like revealing very sensitive sources and methods). 

As with any other form of attack, there are numerous types of organizations or 
individual involved, and some of these may well be deterred from pursuing a cyber 
attack for fear of attribution and the legal or economic consequences thereof 

Entities whose systems are used as the launching point for somebody else’s attack 
may also be motivated by attack attribution to secure their systems and either stop 
an attack in progress or prevent such abuse in the future. It is often possible to 
identify the reputable private institution who owns the offending computer — if this 
is made public, it can have an adverse impact on the brand of that institution, re- 
vealing ineffective controls and poor information security practices. Corporate execu- 
tives could be held personally responsible for such failures and personally liable if 
there is damage to shareholder value. 

The same could be true of the ISPs whose networks are used to propagate cyber 
attacks. Where strong competition is present in the market, attribution can play a 
valuable role in motivating ISPs to address user education, network monitoring, and 
endpoint security. 

With attacks from nation states, or state-sponsored actors, the potential impact 
of attribution technologies really depends on the nation, and so our response needs 
to be carefully tailored to that nation to have maximum effect. Some nations will 
act cautiously, fearful of the consequences that could come from being exposed as 
a cyber attacker, such as economic damage, sanctions or even war. Other countries 
do not seem to care. For those nations that do care but also have a strong offensive 
cyber presence, masquerading as an organized crime entity, or as a country that is 
well known to be the source of cyber attacks, is an easy way to reduce such risks. 

Terrorist groups will not be deterred by attack attribution — they may even wel- 
come it. However, if attribution can be used as a means of geo-locating members 
of a terrorist group during an attack, this is something that can be used to disrupt 
their operational tempo. 

For organized crime, attribution may serve as a deterrent if that attribution could 
be used to help build a criminal case against them that will stand up in court. Un- 



101 


fortunately, their chosen targets may not have the situational awareness to know 
that they are being attacked, or the resources to provide that deterrent. Organized 
crime groups will often target either bank customers or small companies with vul- 
nerable credit card databases. When they target the government, they will often tar- 
get individuals rather than organizations — for example to discredit police officers by 
planting incriminating evidence on their home computers, or to bribe or blackmail 
insiders to monitor or affect the course of criminal investigations. 

When forensic analysis or other collateral information also permits us to identify 
the actual human offender, criminal charges, prosecution, and conviction will serve 
as strong deterrents. This will be somewhat expensive to do here in the U.S., very 
complicated with even close allies, and nearly impossible with the bad foreign actors 
mentioned above. Consider for example the case of Gary McKinnon, who after eight 
years is still awaiting extradition from the UK — a very close ally. The legal costs 
arising from the investigation and long extradition process, along with any future 
trial, could easily exceed the actual damage of which he is accused. Once a suspect 
is convicted, their subsequent imprisonment is also expensive. Is this actually a 
good use of taxpayers’ money? We simply do not have the resources to pursue every 
hacker out there, or even a significant subset of them, much less extradite them to 
the U.S. and imprison them here. 

The last significant group of attackers is the “script kiddies” — typically the easiest 
attackers to identify, as well as the easiest to protect against. While we should take 
measures to protect our systems against such attackers, and take measures to iden- 
tify and deter them where possible, we should keep in mind that many of them real- 
ly are children. Notwithstanding the damage they cause, our goal should be to guide 
them towards a more enlightened path in which they become useful and productive 
members of society, rather than criminalizing them at an early age, which could 
leave them with no job, no vote, and no stake in the common good. 

1.2 Roles of Government & Industry in Technology Development 

Question 2: What are the proper roles of both the government and private indus- 
try in developing and improving attack attribution capabilities? What R&D is need- 
ed to address capability gaps in attack attribution and who should be responsible 
for completing that R&D? 

While company-to-company and nation-to-nation political dialog may well do with 
less stringent, but plausible, attribution, if attribution is to be used in court then 
it must be irrefutable and presentable as evidence in its own right. To achieve this, 
we will have to move to new protocols in the infrastructure which change the very 
foundation of our networks, building in attribution and accountability from the 
ground level. Governments and private enterprises are facing similar threats, and 
trying to solve much the same problems, and so partnerships with industry will help 
to develop the protocols of the future. 

Having built the necessary protocols in collaboration with industry, we can begin 
to require that entities with a legitimate presence in DoD networks, or in some civil 
government or critical national infrastructure networks, implement the new proto- 
cols as a pre-condition to network access. Some corporate enterprises (particularly 
in the financial space) will be motivated to do the same for their own business rea- 
sons. In this way we can add to the security posture of those networks at the same 
time as we demonstrate the viability of the enhancements. 

This is not something that any one government can push through for broad use 
in the Internet as a whole. Evidence of this is in the recent claims over the “mili- 
tarization” of the internet which is not embraced by business, academia, and civil 
libertarians alike, and even debated within government circles. This is somewhat 
recognizant of the crypto wars fought two decades ago which ultimately resulted in 
government conceding the issue. The fact that we may have to make concessions 
on this issue, should not prevent us from pursuing R&D which will be necessary 
if/when some politically viable path emerges. 

In spite of this resistance to militarization, there are strong economic drivers in 
global electronic commerce that are pushing towards solving security problems in 
the infrastructure rather than in the application space. Applications can’t sit around 
waiting to do a time critical task while depending on an unreliable infrastructure. 
The infrastructure will ultimately enforce stronger authentication for users and ter- 
minals, stronger integrity, and non-repudiation assurances for the transactions. 
These properties, once built into the infrastructure, will serve to decrease gaps in 
attack attribution capabilities. Infrastructure will always move more slowly than ap- 
plications, and we should not ignore how quickly application changes can deliver ei- 
ther (and sometimes both) improved privacy and improved attack attribution. 

Many credible experts claim the goal, even if deemed reasonable, is not tech- 
nically feasible. That may be the case to a purist, but the fact that we can’t find 



102 


perfect security solutions anywhere has not deterred us from raising the bar very 
substantially through many hard fought for improvements. 

While government cannot by itself mandate changes in underl 3 ring infrastructure 
technologies (Ex. IPv6), DARPA, NSF, and the research elements supported by the 
Comprehensive National Cyber Initiative all should be working to research and de- 
velop new capabilities. These could be researched, designed, implemented, piloted, 
and ultimately become operational on DoD and Intelligence networks, where attack 
attribution is far more important. After all, it was the original ARPANET where 
current internet protocols were developed and incubated before they ultimately 
flourished on today’s internet. 

New protocols based on the above research should be introduced through the 
IETF, as this process is the most likely to encourage commercial acceptance and de- 
ployment into worldwide networks. For security standards or algorithms, NIST is 
the appropriate agency. 

Research in attack attribution would leverage many of the capabilities already de- 
veloped. We have seen frameworks which securely embed the user ID, computer ID, 
process ID, institutional affiliation, and geo-location directly into the IP address. 
One way to do this is with cryptography and allows us to bind the above attributes 
to the IP address in a non-forgeable way. Continuous improvements in this area 
could also raise the bar significantly. 

We envision transitioning to a multi-protocol internet infrastructure where serv- 
ices offered over DoD network segments would require transmission using these pro- 
tocols, while other government services such as “Radio Free America” might be of- 
fered over network segments which allow or indeed welcome interaction with anony- 
mous entities. Some incremental improvements in this arena are already being 
made, for example with Trusted Network Connect, which can be used to require ma- 
chine-level attribution before network access is granted. Similarly, financial institu- 
tions might have far more stringent attribution requirements than a news media 
or marketing agency. Social networking sites would be adaptable to the needs of 
their constituencies which, I might add, will likely reflect generational differences 
over the need for privacy. 

1.3 Distinguishing Factors between Anonymity and Privacy 

Question 3: What are the distin^ishing factors between anonymity and privacy? 
How should we account for both in the development and use of attribution tech- 
nologies? 

Privacy protections are usually given to people who are acting under their true 
identity while anonymity assumes that people are acting under an anonymous per- 
sona. Under privacy, public and private institutions have Personally Identifiable In- 
formation (PII) which is bound to other information they retain about their cus- 
tomers. This might be something as simple as the address of a customer who buys 
firearms. They have policies about protecting such information. Control objectives 
focused on privacy attempt to mitigate loss from: 

a. Unauthorized Individual — Information systems are inadequately protected 
resulting in a release of data to unauthorized parties inside (or outside) the 
institution. 

b. Authorized Individual — An authorized individual within the institution 
makes a unilateral decision to overstep their authority and release or sell 
privacy information. 

c. Questionable Institutional Practices — Questionable (and generally accepted) 
institutional practices push the legal envelope too far by broadly interpreting 
the privacy laws pertaining to their business. 

d. Systemic Institutional Corruption — Systemic institutional corruption results 
in the willful and unlawful release of privacy information. 

In all the above cases, the institution has privacy information which it did not 
provide adequate protections for. This is not the case with anonymity which would 
have prevented the institution from knowing the identity of or having PII on the 
individual in the first place. This is quite different from well intentioned 
anonymizers which attempt to remove all PII information from data records so they 
can be used for other purposes, such as research, public health, crime statistics, etc. 
There have been some failures of anon 3 miized data bases which revealed PII infor- 
mation through “data leakage” or “correlation handles”. 

There is very relevant research on the problem of working with Internet router 
flow records which were anonymized by having random substitutions applied to 
their IP address fields. Researchers were able to recover the actual IP addresses 
from a collection of anonymized records and known IP address segments. Since the 



103 


purpose of attack attribution is to identify the attacker, the attacking computer, or 
the geo-location of the computer, this cannot be done successfully without unmask- 
ing someone or some computer who was attempting to be anonymous. Of course, 
this is not the case if the person was acting under a “anonymous persona” in the 
first place, in which case there is no persona to attribute the attack to. 

Where true anonymity is allowed, attribution is neither desirable nor possible. 
Therefore a risk management decision has to be made as to how much anonymity 
is allowed and in which contexts. A news organization may consider it more impor- 
tant to allow anonymity to protect journalistic sources, while a DoD organization 
may see no need for others having anonymity but every need for security. Today’s 
networks give us a mix between anonymity and security, but no fine-grained tools 
for managing the trade-off between them. 

Many of the transactions on the internet are reasonably private but not anony- 
mous. The financial institutions develop protocols which protect the integrity of the 
financial transactions, and the merchants may make some attempt to protect cus- 
tomer privacy information, but existing protocols don’t allow anonymity where it 
may be called for. For example, I may wish to research AIDS treatments without 
letting my search agent know that it is me doing this research. I may even want 
to buy such treatment without revealing my identity to the merchant who is selling 
it to me, but I may want the supply chain and the public health officials to know 
what treatments are of interests to this anonjnnous purchaser. All of this is possible 
with the right protocols. In the standards section below we will demonstrate the 
type of research that is needed to develop such protocols. 

In order for online commerce to flourish, there is a strong need for trusted entities 
to issue trustable and non-transferrable identity certificates. In this way people can 
be assured that when they communicate with the same online identity twice they 
are actually talking to the same person both times. Governments around the world 
already issue physical identity certificates, but in the online world governments 
came late to the game and private organizations such as Verisign have arisen to 
fill this gap. Any attempt by government to take back control of online identifica- 
tion, or even just to provide services in this space, will be met with resistance. 

Leaving aside the issue of who is issuing identity certificates, and how they are 
secured so as to be non-transferrable, some of these should uniquely identify the 
holder while others should be able to provide less or even no identity information. 
It should be possible to acquire as many such identity certificates as are needed, 
and unless they contain personal information in common between them there should 
be no way to link one anonymous identity to another. Some organizations already 
provide physical analogs, in the form of pre-paid credit cards, or pay-as-you-go cell 
phones, that require little or no personal information to activate. 

1.4 Need for Privacy and Attack Attribution Standards 

Question 4: Is there a need for standards in the development and implementation 
of attack attribution technologies? Is there a specific need for privacy standards and 
if so, what should be the government’s role in the development of these standards? 

Technologies that are built into the network architecture need to be made in ac- 
cordance with open standards, as this promotes interoperability and encourages 
broad adoption. Technologies for attack sensing and mitigation are more difficult to 
standardize, and standards may actually harm you because they give the attacker 
something to test their strength against before they come after you. 

So, the military will always have to have secret capabilities for attack attribution 
in addition to the infrastructure standards discussed in the previous answer. These 
secret capabilities become problematic when the military is asked to apply them to 
other government agencies, critical infrastructure, ISPs, academia, and inter- 
national corporations where transparency is vitally important. This is at the heart 
of the current Einstein debate which is considering the deployment of military in- 
trusion detection capabilities to protect civil agencies. The only solution I see to this 
problem is a public-private partnership (or standing commission) where technical 
expert members have government security clearances while not required for other 
commissioners who, over time, learn to trust in the unclassified explanations given 
to them by the technical experts. 

In the previous answer, we explained the need for standards involving authentica- 
tion, integrity, confidentiality, non-repudiation, geo-location, institutional affiliation, 
and more at the infrastructure level which bind all these attributes to the IP ad- 
dress of the end user. We would add an anonymous persona standard as well as 
new standards to protect privacy. The government should invest in the development 
of these standards, but let the open standards groups such as IETF, NIST, ISO, 
WWC, and more run those standards though their respective processes. The govern- 
ment should have representation at the table. 



104 


There is a specific need for new and improved privacy standards. We can best il- 
lustrate this by introducing a suggested framework for two important areas where 
privacy is critical: medical records and on-line transactions. This framework should 
make it clear that existing protocols for on-line transactions focus on the integrity 
of the financial transaction rather than the privacy of the parties involved. The 
framework appears in the last section. 

2. Full Discussion 

2.1 Introduction 

If we are to protect the Internet and its users from criminals, hostile nation 
states, and terrorists we will have to both design the Internet better and then be 
vigilant about monitoring it. The former will encourage technologies such as strong 
authentication, while the latter will likely force us to balance Security (attribution) 
& Privacy (anonymity) when designing new Internet protocols and host technologies. 
This may appear strange because, at some level. Security and Privacy (S&P) have 
a similar definition: The right to live out one’s life without interference from 
others. Indeed we can demonstrate many instances of best practices in computer 
& Internet security which result in enhancing both security and privacy simulta- 
neously. The very existence of these synergistic outcomes, however, permits argu- 
ments that can be used to deflect the discussion away from other areas (like attack 
attribution) where we frequently have to make tradeoffs. 

We say frequently above because it depends on the nature of the attack. Is it a 
National Security threat, or a criminal action and thus in the law enforcement do- 
main? Attribution techniques sufficient to identify a Nation State initiator of an at- 
tack for appropriate political/military response need not impact personal privacy. If 
it is a criminal attack against banks or persons, “following the money” may be more 
effective in gaining forensic-quality evidence for court action, as opposed to machine 
identities used merely as clues as to where to start the hunt for physical evidence 
of crime. 

Privacy and anonymity currently play a critical role to many of us here in the 
U.S. and to freedom fighters, whistle blowers, bloggers, and amateur reporters in 
both democratic and repressive regimes all over the globe. It’s one of the few medi- 
ums where you can be relatively anonymous. Unfortunately, the trend line looks 
ominous for those capabilities and I think these traits will largely disappear in the 
Internet in 20 years independent of the best intentions of some governments. This 
prediction is a function of where the Net came from and the fact it’s grown so fast 
and that it had to maintain the original assumptions which drove Internet plumbing 
(protocol and router development) in the first place and were friendly to anonymity 
interests. That said, the net is maturing, and as new protocols come online and a 
new generation of users grow up, the inevitable degradation of privacy is already 
well underway. In spite of the best efforts of civil libertarians, the current privacy 
issues are largely business driven. That is, you could still be anonymous if you 
wanted, but once you jump into the social networking or online commerce pool, it 
goes away quickly. It is highly likely that the next generation of internet protocols 
will have tbe capability to provide much stronger levels of attribution which will, 
as a byproduct, serve the interests of those seeking attack attribution. So our lack 
of privacy and anonymity in portions of the future internet may be inherent in the 
infrastructure, as well as a byproduct of the applications that ride on top of it, as 
is the case today. 

Geo-location is perhaps one of the greatest threats to both privacy and anonymity. 
The trend towards wireless mobility is embedding location tags deep in the infra- 
structure which will be imposed by the new protocols that are difficult to cir- 
cumvent. These protocols may also embed attributes such as personal identity, hard- 
ware identity, physical location, and institutional affiliation right in the internet 
protocol address. This trend will be business driven as national and international 
commerce will benefit from the stronger integrity and non-repudiation assurances 
for the transactions. Strong authentication of the person at the other end will be 
available from the infrastructure rather than from some application operating over 
it. 

These capabilities will serve us well in emergencies caused by natural disasters, 
man-made accidents, or hostile foreign threats; tweeters, bloggers, and social media 
players will get their news and pictures from someone at ground zero, rather than 
having to first sort through the political rhetoric emanating from a distant corner 
of the globe. These capabilities will have many other benefits, such as providing par- 
ents with the real time location of their children. They will also be used for nefar- 
iously purposes by criminals, rogue nations, industrial competitors, and terrorists. 



105 


Wouldn’t the terrorists like to turn the tables and know when key U.S. public offi- 
cials or military commanders are dining in a restaurant? 

When balancing the need for anonymity with attack attribution, there is no silver 
bullet, be it technology, policy, economic incentives, or cultural change, which will 
solve the problem. Even in cases where attack attribution is deemed more impor- 
tant, we don’t currently have reliable ways of actually doing it. Furthermore, when 
we can identify the offending computer with high probability we may not know who 
the actual human offender is. This is true because the computer owned by the inno- 
cent user may have been previously commandeered by a malicious and anon3mious 
adversary operating from a remote location anywhere in the world. For this reason 
corrective action such as quarantining the offender may actually be depriving the 
real computer owner of vital and even life supporting services delivered over the 
internet. 

For the reasons stated earlier, it seems reasonable that individuals should have 
the right to have an “anonymous persona” — or as many of them as they need — 
which they can use for online interactions. One ought to be able to anonymously 
check out the prices in Amazon and Borders before making a purchase; one ought 
to be able to visit the VA STD site before registering for treatment information; one 
ought to be able to anonymously read about LAPD civil rights violations; one ought 
to be able to communicate privately and anonymously with others, while still having 
some assurance that when we talk to the same anonymous ID we are talking to the 
same person. Many information providers may chose to only release information to 
properly authenticated and authorized individuals, but what about sites giving guid- 
ance to political dissidents, whistle blowers, oppressed groups, freedom fighters, 
etc.? These sites, of course, want to share this information privately and without 
any strings. 

In a world of insecure computers and botnets (commandeered armies of innocent 
computers) we will need attack attribution to point us to the offending computer, 
its owner or institutional affiliation, and its geographic location. But as computers 
become virtualized we will lose the ability to attribute action to specific computers 
and as we move to cloud computing we will even lose the ability to geo-locate the 
computer. This doesn’t mean that we can’t encode the user identity, computer ID, 
process ID, and institutional affiliation into the computer’s (IP) address, because 
with the proper R&D we can move to a next generation of internet protocols which 
do precisely that. 

2.2 Anonymity 

As children, many of us watched a program called “The Invisible Man”. Let’s sup- 
pose that technology makes that a reality where one could take a pill and become 
invisible for the next hour. This technology might profitably be used to observe na- 
ture without disturbing it, visit public places without the fear of recognition and un- 
wanted attention, associate with people we don’t want to be linked to, etc. This tech- 
nology is needed just as much by government entities as it is by citizens. Of course, 
it is also easy to envision how this technology might be used to commit crime, so 
we could surely expect a response which would, for example, make it illegal to enter 
a government building in the invisible state. Banks would respond by refusing ATM 
withdrawals to invisible people. While all of this sounds like an absurd policy de- 
bate, it is precisely what is being played out in cyber space today. Invisible actors 
from all of the threat groups are ever present in our computers, behind our locked 
doors, not in the jurisdiction of our courts, not in range of our guns, and overhearing 
both out thoughts and our private conversations. 

2.3 Losing Transparency 

As Americans we fiercely defend our right to privacy and security, and subse- 
quently create a vision where we achieve both simultaneously. This vision embodies 
our protection from individuals, corporations, governments, cultural and religious 
institutions, subversive organizations, and common criminals. Through our human 
experience with these actors we recognize that we have reason to fear all of them. 
Our lives are played out in part through acts conducted by “perpetrators” and which 
have impact on “victims”. \^ile these words are pejorative, it is this concept of be- 
coming a victim that drives our passion for achieving privacy and security. The 
problem with this logic is that the laws and tools which give potential victims pri- 
vacy and security can also be used by the threat agents to achieve anonymity. The 
result is a world with very little transparency into what everybody, from criminals 
to nation states, are actually doing. Even when we can see the consequence of these 
actions we may never know who the perpetrators are. One might argue that the his- 
tory of human social development (and even evolution) was driven by transparency 



106 


of action. While human nature has remained largely unchanged, we have witnessed 
three transformations brought about by technology that are having a profound im- 
pact on human behavior: 

• Attributable to anonjnnous 

• Discoverable to forever hidden, 

• Understandable to magical 

Wherever we lost transparency, whether into governments, corporations, or indi- 
viduals, bad actors eventually emerged and violated our trust and laws. 

2.4 Who Should We Fear 

In America we have a somewhat unique tendency to fear violation of our privacy 
from government above all. This stems from our beliefs and experiences that if we 
are wronged by an individual or a corporation we have recourse from damages in 
a court, while government has historically avoided such accountability. But, let us 
first explore the expanded threat to privacy and be specific about some of the (large- 
ly) foreign threats. Are we not concerned about the Chinese stealing our technology 
to produce less expensive versions, the Russians engaging in financial crimes, the 
Israelis’ stealing our political intentions, the French steeding our competition-sen- 
sitive materials, the Nigerians conning our elderly, and so on? These actors are all 
foreign threats, and they represent official governments, large corporations, terror- 
ists, and common criminals. And yet, to most of us, these actors are all beyond the 
reach of our American courts. Our security and privacy is threatened by all of them, 
yet many folks continue to focus primarily on government. I would suggest that 
more balance is needed in first identifying the real threat and then establishing the 
appropriate balance between privacy and security. 

Finally, I would be remiss to exclude the fact that while many of these threats 
are foreign, many are domestic, and, in the past, violations of domestic civil liberties 
were justified by reference to foreign threat. These are very dangerous constitu- 
tional grounds we tread and the gravity of the legal and constitutional dimensions 
cannot be trivialized. 

2.5 Conclusions 

In conclusion my comments are not focused on promoting what the ideal balance 
between privacy and security should be, but rather a challenge to those embracing 
the utopian view that both may be simultaneously within our grasp. We need to put 
together representatives from both sides of the debate, allow them to frame the 
issue, and present the differences in a way our policy and law can respond appro- 
priately. while we will continue to insist that private information remain just that, 
and that anonjnnous persona will be supported, the existence of a trusted third 
party such may be the only way to ensure that. So, the debate might eventually 
come to: can we trust government with the information it needs to protect our secu- 
rity or do we lose our privacy from a myriad of bad actors (the least of which may 
be government)? In my opinion government has not yet earned this trust and we 
will require a lot more transparency and oversight before mving that trust. 

In summary, the privacy & security debate (and hence the anonymity and attribu- 
tion debate) focuses us on only one aspect (albeit very important) of the problem and 
we need several initiatives to correct that. In parallel, we should also be using our 
status as a superpower to drive behavior by the Chinese on the internet, the French 
on business-competition practices, the Russians on stamping out financial crime, the 
Israelis on influencing our political system, and international crime-fighting organi- 
zations on establishing deterrents. This will require a U.S. policy with an enlight- 
ened international agenda which focuses on using what remaining superpower sta- 
tus we have to drive behavior. This is essential to balancing security and privacy 
at home while simultaneously promoting a robust ecommerce and human rights 
agenda globally. Once such behavior is agreed upon our policy must be “trust but 
verify” and will require some authorized (and transparent) monitoring of our infor- 
mation and telecommunications systems, while at the same time, embracing really 
strong mechanisms to protect privacy and anonymity. This monitoring will allow au- 
thorized governments to perform attack attribution with cooperation from the pri- 
vate sector. It will also require oversight by a trusted third party and considerable 
transparency on Main Street. 

3. Appendix: New Privacy Standards Framework 

We suggest a new framework to evaluate the security of an on-line transaction. 
We do this only to elaborate on the inadequacies of the current protocols which focus 
much more on security than privacy. Our transaction involves a buyer (Bob), a 



107 


search agent (Goliath), a seller (Sam), a trusted identity provider (Ida), a hank 
(Betsy), manufacturers (Matt and Martha), the blind anonymity provider (Andy), 
and finally, Boh’s roaming service (Robin). Bob wants to purchase specific goods and 
begins with asking Goliath to provide a list of sellers. Bob then selects a seller Sam 
and purchases a product using a credit card he was issued by Betsy. Ida provides 
some real time assurance that Bob and Sam are who they claim to be. Andy facili- 
tates the sharing of some transaction details with manufacturers Matt and Martha 
who need to restock the shelves. Note that these latter details are not made avail- 
able to Andy who is “blind” to the information needed by the wholesalers. Robin pro- 
vides a roaming and/or backup service for Bob’s secret credentials (Robin herself is 
blind to these credentials). 

The security complexity of multi-party protocols grows rapidly as the number of 
parties in the transaction increases. Our problem potentially has eight distinct roles 
with some of the roles having multiple players within a specific transaction (such 
as merchants, manufacturers, or identity providers). Different parties talk both di- 
rectly and indirectly to each other, security assertions are checked and passed along 
to other parties, and authentication, integrity, authorization, privacy, and non-repu- 
diation are potentially important to each of the relationships. 

We are now in a position to form a privacy framework based on the outcome of 
several assumptions: 

1. Bob knows everything about his transactions. 

2. Where Bob has shared his personal information with the other parties, he 
should still (legally) own that information and be able to update or revoke 
it at a later date. 

3. Ida(s) has provided identity assurance to potentially all parties in the trans- 
action. 

4. Goliath knows the set of sellers that have the products Sam is interested in, 
and, may or may not know Bob’s identity. 

5. Sam has sold a product to Bob, and Sam mw know Bob’s identity and his 
bank account number (today’s situation), or Sam knows Bob’s identity and 
mailing address only, or Sam doesn’t know anything about Bob. 

6. Sam may keep a record of the purchase, but the customer data, and the ac- 
count information may be kept by Bob only, or by both Bob and Sam. 

7. Betsy knows that Bob has made a purchase from Sam, has completed the 
financial transaction, and may or may not know detailed information about 
the product that was purchased 

8. Matt and Martha know somebody’s “purchasing interest” or “purchasing pro- 
file”, and may or may not know their identity. 

9. Andy has facilitated the transfer of some encrypted data from Bob to Matt 
and Martha, but doesn’t know what it is. 

10. Robin has encrypted information about Bob, including his secret keys, so 
she can support his roaming, but knows little more than Bob’s identity, and 
certainly can’t decrypt his secret keys. 

The choices in the above framework do not have one-size-fits-all answers, so the 
ultimate protocol selected must be tunable to the answers that fit the situation. 

For brevity, we will not demonstrate a similar privacy framework for medical pur- 
poses, but we will point out that there are even more stakeholders in the commu- 
nications and data retention aspects of any medical situation, and enumerate those 
stakeholders. They include patient, attending physician, treatment facility, pharma- 
ceutical provider, nurses and other medical care professionals, consulting physician, 
insurance provider, public health officials, pharmaceutical and infectious disease re- 
search community, accounting and billing support staff, and several others. While 
there are currently many places where anonymizers are used today to share medical 
information, we believe those protections are woefully inadequate. 

Acknowledgements 

I would like to acknowledge the contributions by several people who made critical 
comments and constructive ideas during the drafting of this testimony. All the views 
expressed in the preceding text certainly do not represent the positions of the names 
listed below. Indeed, in some areas, their views represent alternate positions. Never- 
the-less, their contributions were invaluable. 

William Crowell, Consultant, former CEO Cylink, former Deputy Director NSA 
Jerry Dickson, former Director of the National Cyber Security Division (NCSD) at 
DHS 



108 


Kevin R. Fall, Ph.D. 

Daniel E. Geer, Jr., Sc.D., CISC, In-Q-Tel 

Susan Landau, 2010-2011 Radcliffe Fellow, Harvard 

Ronald D. Lee, Attorney 

James Lewis, Center for Strategic and International Studies 

Mike McConnell, Booz Allen Hamilton, former DNI, former Director NSA 

Vin McLellan, Consultant and Publicist in Security & Cryptography 

Alan Paller, Director of Research, SANS institute 

Bruce Potter, CTO of Ponte Technologies, SHMOO founder 

Marcus Ranum, CSO of Tenable Network Security 

Brian Snow, Cryptographer and former NSA Senior 

Finally, this testimony would not have been possible without the content and edit- 
ing contributions from Patrick Henry of Ponte Technologies. 

Biography for Edward J. Giorgio 

Ed Giorgio is the co-founder and president of Ponte Technologies, a security and 
technology company. He is on numerous advisory boards, including the NSA Advi- 
sory Board and the Commission to advise the 44th president. He was formerly a 
principal at Booz Allen Hamilton, where he spent ten years working on information 
security and enterprise resilience issues for a variety of commercial clients and Fed- 
eral agencies. Mr. Giorgio also has nearly 30 years of security experience with the 
National Security Agency (NSA). While at NSA, he pioneered developments in com- 
munications security, national intelligence policy and technology, and public key 
cryptography. Mr. Giorgio is the only person to have served as both Chief U.S. 
codemaker and, subsequently, as Chief U.S. codebreaker at NSA where he directly 
managed 1600 mathematicians and computer scientists. As a mathematician, he de- 
signed and delivered the first public key based e-mail privacy and authentication 
system on the worldwide intelligence network. Today he provides services which 
help clients bridge business innovation, technology, and security and delivers these 
services to government and commercial clients. He also advises investment bankers 
and VC’s on the viability of early-stage security companies. Mr. Giorgio is consid- 
ered a leading authority on cryptology and has extensive experience in cryptog- 
raphy, Internet security technology, wireless security, security policy, information 
warfare, privacy, and intelligence sources and methods. 

Chairman Wu. Thank you very much, Mr. Giorgio. 

Mr. Rotenberg, please proceed. 

STATEMENT OF MARC ROTENBERG, PRESIDENT, ELECTRONIC 
PRIVACY INFORMATION CENTER 

Mr. Rotenberg. Thank you very much, Mr. Chairman, Members 
of the Subcommittee. I appreciate the opportunity to be here today. 
I am President of the Electronic Privacy Information Center and I 
teach privacy law at Georgetown and I have been involved in most 
of the debates about cybersecurity and privacy going back 25 years. 

My organization publishes an important report about privacy and 
human rights around the world, and I draw attention to this be- 
cause in our testimony, we talk about the use of attribution by gov- 
ernments, not necessarily for the purpose of promoting 
cybersecurity but actually to monitor and track people with un- 
popular political opinions. China has the most advanced means of 
attribution today for Internet users. They require Internet users to 
individually register themselves, to provide their true names, their 
e-mail addresses and the list of news services from which they re- 
ceive information on the Internet. They require Internet service 
providers to keep detailed logs on the activities of people who get 
access to the Internet through Chinese licensed ISPs, and they re- 
quire the cyber cafes, which is the main point of access for people 



109 


in China who want to get information on the Internet to track all 
the activity and keep these records for 60 days to make them avail- 
able to the Chinese government, and most interestingly, because I 
also have a background in managing one of the Internet domains, 
the .org domain, when the .cn domain became available for website 
registration, the Chinese government also required that 
businesspeople who wanted to create an Internet website using the 
.cn domain provide their actual name and a photograph to the gov- 
ernment so that they could also be identified. 

Now, China, of course, is not alone, and I cite in my testimony 
similar examples involving Burma, Syria, Iran and Egypt. The 
point that I am trying to make here is that there is a real risk, 
which I think was suggested by one of the other witnesses, that at- 
tribution techniques through this means of keeping track of what 
people do online will be used for purposes unrelated to 
cybersecurity that has a real impact on human rights and freedom 
of expression because of course what attribution also does is make 
people think twice about saying things that might be unpopular or 
controversial. 

Now, fortunately, in the United States, as I also describe in my 
testimony, we have a very strong constitutional right to speak 
anonymously, which is perhaps not surprising because the Fed- 
eralist Papers that provided the basis for our country were written 
by people who made frequent use of pseudonyms. They understood 
that publishing their views in a way that could be easily attrib- 
utable to them might quell their efforts to change the form of gov- 
ernment that existed in the colonies at the time, and our courts 
have said repeatedly that anonymity is an important right that is 
protected within the First Amendment. More recently, we have also 
been involved in cases involving Internet freedom and the famous 
ACLU [American Civil Liberties Union] versus Reno case from 
1996 that struck down the Communications Decency Act where the 
Supreme Court affirmed the very important role that the First 
Amendment plays in protecting Internet freedom. 

Now, what I did in preparation for this hearing with the help of 
our excellent law clerks who are at EPIC this summer was to re- 
search the cases involving identification requirements for the Inter- 
net. We were trying to answer your very specific question, would 
it be possible in the United States to have an identification require- 
ment, a mandatory requirement for anyone who goes online, which 
is certainly being talked about, and our conclusion is that we don’t 
think it would be possible. In the one case where an identification 
requirement has been upheld, and this was in the State of Utah 
after an earlier effort had been struck down, it was permitted only 
for convicted sex offenders where there was narrow collection of 
personal data and used for very narrow purposes. That is the only 
case that we could find. 

Finally, as I also set out in our testimony, looking at this prob- 
lem of attribution turns out to be very difficult, as other witnesses 
have pointed out, primarily because it is so easy for people online 
to evade detection. Bruce Schneider, who is a noted security expert, 
said bluntly, “It is futile.” What it will do is actually create new 
opportunities for people to hide because they will create new false 
credentials, and the recent report from the National Research 



110 


Council that also looks at the issue of attribution reaches a similar 
conclusion. This is not to say that we aren’t aware that there are 
serious network threats which obviously implicate privacy and se- 
curity interests but we think it is very important in this area to 
also consider the harmful impact that a broad attribution require- 
ment might have for the freedom of Internet users. 

Thank you again for the opportunity to be here. 

[The prepared statement of Mr. Rotenberg follows:] 

Prepared Statement of Marc Rotenberg 

Mr. Chairman, Members of the Committee, thank you for the opportunity to ap- 
pear today to discuss the topic of Cyber Security and Attribution. We appreciate 
your interest in this topic. 

My name is Marc Rotenberg. I am President of the Electronic Privacy Information 
Center (EPIC), a non-partisan public interest research organization established in 
1994 to focus public attention on emerging privacy and civil liberties issues. Since 
our founding, we have had an ongoing interest in computer security, privacy, and 
identification. In fact, EPIC began in response to a proposal from the National Secu- 
rity Agency to establish a mandatory key escrow encryption standard that could 
have easily prevented the emergence of the Internet as a powerful force for economic 
growth and political change. 

EPIC was founded in 1994 in part to address concerns about the role of the Na- 
tional Security Agency in computer security policy.^ Since then EPIC has partici- 
pated in numerous public debates regarding the protection of privacy rights on the 
Internet and elsewhere. EPIC is currently engaged in active litigation under the 
Ereedom of Information Act with the NSA and National Security Council regarding 
National Security Presidential Directive 54, a secret document that governs the 
NSA’s current authority over cyber security policy.® EPIC has also been involved re- 
cently in seeking information regarding the secret cyber security program known as 
EINSTEIN 3.0, as well as a new secret program within the NSA called “Perfect Cit- 
izen.” And I have participated in scientific workshops on such topics as “eDNA,” 
a proposal to tie every user activity to their unique DNA, developed by Admiral 
John Poindexter the architect of Total Information Awareness, that was thankfully 
rejected.® 

In my statement today, I will point to the risks and limitations of attempting to 
establish a mandatory Internet ID that may be favored by some as a way to address 
the risk of cyber attack. Such a proposal has significant implication for human 
rights and freedom online. It is not even clear that it would be constitutional to 
mandate such a requirement in the United States. 

To be clear, there are real concerns about network security. Network 
vulnerabilities also have implications for privacy protection. But solutions to one 
problem invariably create new problems. As we learned in the early days of the 
Internet, a proposal to make it easier for the government to monitor network traffic 
will also make communications more vulnerable to criminals and other attackers. 
Similarly, proposals to mandate online identification will create new risks to privacy 
and security. 

I. Internet attribution requirements have resulted in censorship and inter- 
national human rights violations. 

It may be that governments establish attribution requirements to address cyber 
security concerns. But it also clear that governments impose these requirements to 


lEPIC Counsel Jared Kaprove and EPIC IPIOP clerks Matthew Lijoi, Laura Moy, Reuben 
Rodriguez assisted in the preparation of this statement. The views expressed are my own. 

^See EPIC, The Clipper Chip, httpij ! epic.org ] crypto ! clipper (last visited July 13, 2010). 

^EPIC V. NSA, No. 10-196 (D.D.C. filed Feb. 4, 2010). 

"^See generally EPIC, Cybersecurity and Privacy, http: ! j epic.org ! privacy ! cybersecurity ! (last 
visited July 13, 2010). 

® John Markoff, Surveillance Agency Weighed, hut Discarded, Plan Reconfiguring the Internet, 
N.Y. TIMES, Nov. 22, 2002, available at http: II wwiv.nytimes.com j 2002 ! 11 1 22 1 politics ! 
22TRAC.html. The project description of eDNA stated: 

We envisage that all network and client resources will maintain traces of user eDNA 
so that the user can be uniquely identified as having visited a Web site, having started 
a process or having sent a packet. This way, the resources and those who use them 
form a virtual ’crime scene’ that contains evidence about the identity of the users, much 
the same way as a real crime scene contains DNA traces of people. 



Ill 


track the activities of citizens and to crack down on controversial political views. We 
know this from our research of identity requirements for Internet use outside of the 
United States.® The risk of mandatory attribution can be seen most clearly today 
in China. If fact, in just the last day, the Associated Press reported on efforts in 
China to crack down on anonymity and mandate identification requirements.'^ 
Currently, China leads the world in Internet use. Over 360 million people access 
the internet in China, an increase of 1,500% since the year 2000, accounting for over 
twenty percent of the world’s online population.® Despite these numbers, Chinese 
Internet users must abide some of the strictest identification requirements to get 
online. By making user Internet activity appear attributable to the individual, Chi- 
na’s regulations generate user self-censorship. 

The Chinese government identifies users who access to the Internet in three ways: 
(1) mandatory registration requirements, (2) requirements on Internet Service Pro- 
viders, and (3) regulation of Internet cafes.® 

China first began control over individual access to the Internet in 1996, and has 
since revised its policies several times;^® many of these revisions entailed require- 
ments that users provide identification when accessing the Internet or using certain 
Internet services. Chinese citizens wishing to access the Internet are required to ob- 
tain a license for Internet access. They must register with the local police by pro- 
viding their names, the names of their Internet service providers (ISPs), their email 
addresses, and any newsgroups to which they subscribe. In February of 2010, the 
Chinese government lifted a ban on registrations of domain names ending in the 
“.cn” suffix, but also imposed strict new requirements for their use.'^^ Now, individ- 
uals individual wishing to set up personal websites using the suffix must verify 
their identities with regulators and have their photograph taken, 

Additionally, some local and provincial Chinese authorities currently require that 
individuals use their real names when accessing bulletin boards, chat rooms, or IM 
services. The requirement also extends to university settings,^® and in July 2005, 
all administrators and group founders of China’s largest instant messaging service, 
QQ were told that they must use their real names to access the service. A notice 
from the Shenzhen Public Security Bureau declared: “This year, at various internet 
chat rooms in our city, there were chat groups, forums, BBS, internet SMS and var- 
ious internet public information services in which there were illegal assemblies, ille- 
gal alliances and obscene behaviors being observed. In order to protect national se- 
curity and preserve social stability. . .we will be conducting clean-ups on network 
public information services.” 


6 See generally EPIC, PRIVACY AND HUMAN RIGHTS: AN INTERNATIONAL SURVEY OF 
PRIVACY LAWS AND DEVELOPMENTS (2006) [hereinafter “PRIVACY AND HUMAN 
RIGHTS.”] 

Anita Chang, China seeks to reduce Internet users' anonymity, Associated Press, July 13, 
2010, at http: ! j www.google.com / hostednews ! ap ! article ! ALegM5goTlHz28jUIOSMcwiJD9m 
X6GVZyQD9GUI6VOO (“A leading Chinese Internet regulator has vowed to reduce anonymity 
in China’s portion of cyberspace, calling for requirements that people use their real names when 
buying a mobile phone or going online, according to a human rights group.”) See also, Rebecca 
MacKinnon, RConversation: China’s Internet White Paper: networked authoritarianism in action, 
June 15, 2010, http: 1 1 rconversation.blogs.com I rconversation 1 2010 1061 chinas-internet-white- 
paper-networked-authoritarianism.html. 

® Internet World Stats, Internet Users — Top 20 Countries — Internet Use, http:! j 
www.internetworldstats.com/top20.htm (last visited July 13, 2010). 

® See Trina K. Kissel, License to Blog: Internet Regulation in the People’s Republic of China, 
17 IND. INT’L & COMP. L. REV. 229 (2007). 

Kristin M. Reed, Comment, From the Great Firewall of China to the Berlin Firewall: The 
Cost of Content Regulation on Internet Commerce, 13 TRANSNAT’L LAW. 451, 462 (2000). See 
also, PRIVACY AND HUMAN RIGHTS 349-51 (2006) (“China— Monitoring of Cybercafes”). 

11 W. 

1® Reporters Without Borders, Internet Enemies: China, at 3, Dec. 3, 2010, available at http:/ 
/ en.rsf.org / IMG / article -PDF / china-china-12-03-2010, 36677.pdf . 

1® David Pierson, China Steps Up Policing of New Websites, L.A. TIMES, Feb. 25, 2010. 

I’l Radio Free Asia, China Tightens Grip on Cyberspace, Aug. 17, 2005, http:/ lwww.rfa.org / 
english /news /in- depthJ2005 108/ 17 j internet -china / . 

^t>Id. 

i®Nanfang Weekend, Fourteen Departments United to ‘Purify” the Internet, Aug. 18, 2005, 
translated in EastSouthWestNorth, Purifying the Chinese Internet, http: / / 
www.zonaeuropa.com/ 20050821 -l.htm (last visited July 9, 2010). QQ has 100 million active 
users, including 8 million users who are founders or administrators. 

17 W. 



112 


Chinese state-licensed ISPs are required to track and store user activity, ISPs 
must retain records on user identification, what sites the user visited, the duration 
of the user’s visits, and the user’s activity on those sites.^® Though Chinese laws 
prohibit disclosure of this information generally, they make exceptions for a number 
of government purposes, including national security or criminal investigations.^® 
Moreover, there are few formal procedures for requesting such data, and most of the 
time ISPs will disclose to the government an individuals internet usage and identi- 
fication with just an informal request.^^ 

Finally, Internet cafes in China abide by strict regulations that require them to 
identify their patrons.^^ Many Internet users in China rely on Internet cafes as a 
primary means of access.^® All Internet cafes must install filtering software, ban mi- 
nors from entering, monitor the activity of their patrons, and record patrons’ iden- 
tity and complete session logs for up to sixty days.^'^ In many cities, Internet cafes 
are also connected by live video feeds to the local police department.^® 

The identification requirements China placed on Internet access cause users to po- 
lice their own Internet usage. China’s Internet users (justifiably) believe that all of 
Internet activity is attributable to the individual. Transgressing Chinese Internet 
policy is often met with harsh penalties.^® Therefore, without anonymity, many 
Internet users in China steer well clear of any potentially controversial activity that 
might violate China’s vague Internet prohibitions. 

China is well known for directly filtering internet content within its borders;^'^ 
however, the practice of attributing Internet activity to the specific user through 
identification requirements is even more effective in regulating Internet content 
than direct filtering.^® China’s identification laws are designed to make the user be- 
lieve “that every bit of [her] activity is tracked.” Furthermore, China’s enforce- 
ment of its Internet laws gives users reason to be concerned that if they violate the 
laws, they will be caught and the punishment will be severe.®® Almost every inter- 
net-related imprisonment resulted from an accusation of subversion, a guilty ver- 
dict, and a two to twelve year prison sentence.®^ In this way, “[t]he manhunts for 
individual internet users, which often mobilize dozens of agents from the public se- 
curity and state security ministries, serve as warnings for the recalcitrants and dis- 
sidents who continue to surf the internet.”®® 

Given that individual users, content providers, and ISPs can all be held liable for 
illegal content,®® each of these entities acts as a self-censor, avoiding, monitoring, 
or deleting content that might be illegal. Removing Internet anonymity and requir- 
ing identification to access the Internet means that China’s “best censorship is self- 
censorship.” ®’‘ 


Open Net Initiative, Internet Filtering in China (2009), http: I ! opetinet.net ! sites ! 
opennet.net ! files / ONI^China ^2009. pdf at 15. 

IS Id. 

sold, at 14. 

21 W. at 14-15. 

22 See id. at 15. See also, Jill R. Newbold, Note, Aiding the Enemy: Imposing Liability on U.S. 
Corporations for Selling China Internet Tools to Restrict Human Rights, 2003 U. ILL. J.L. 
TECH. & POLT 503, 504 (2003). 

so See generally, Audra Ang, China Wants Web News ‘Civilized’, DESERET MORNING NEWS, 
Sept. 26, 2005, at A4, available at 2005 WLNR 15133888. 

2 ^ Open Net Initiative, supra note 18 at 15. 

sold. 

soR.g., Kristen Farrell, The Big Mamas are Watching: China’s Censorship of the Internet and 
the Strain on Freedom of Expression, 15 MICH. ST. J. INT’L L. 577, 578—85 (2007) (describing 
three examples of arrests and imprisonment for internet speech). 

22 See, e.g.. Open Net Initiative, supra note 18. 

so See generally , Congressional-Executive Commission on China, 2005 Annual Report, at Ill(e), 
http: 1 1 WWW. cecc.gov / pages jannualRptj annualRptOS 1 2005 -3e - expression.php (last visited 
July 9, 2010). 

so Tim Johnson, In China, Sophisticated Filters Keep the Internet Near Sterile, MCCLATCHY, 
July 13, 2005, http:! Iwww.mcclatchydc.com 12005 107 ! 13! 12100 1 in-china-sophisticated-filters, 
html. 

®® Congressional-Executive Commission on China, 2005 Annual Report, at Ill(e), supra note 
28. See also Farrell, supra note 26; Kissel, supra note 9 at 243-46. 

00 See Bobson Wong, The Tug-of-War for Control of China’s Internet, http:! j 
www.hrichina.org ! fs ! downloadables j pdf i downloadable-resources i 

a3 -Tugofwar.2004.pdf?revision -id=8986 (last visited July 9, 2010) (describing Chinese citizens 
who were imprisoned for posting information on the internet). 

®2 Reporters Without Borders, Living Dangerously on the Net: Censorship and Surveillance of 
internet Forums, May 12, 2003, http:! Iwww.rsf.org ! article.php3?id-article=6793. 

so See Open Net Initiative, supra note 18 at 15. 

24 Matthew Forney, China’s Web Watchers, TIME, Oct. 3, 2005, available at http:! j 
www.time.com ! time i magazine ! article ! 0,9 17 1,50 10510 10-11 12920, OO.html. 



113 


In addition to China, several other countries have used Internet identification re- 
quirements to limit or control their citizens’ speech. In Burma, internet cafes are 
required to take screenshots of their patrons’ screens every five minutes, and must 
be able to provide every users ID number, telephone number, and address if the po- 
lice request them.®® In Egypt, Internet cafes must be licensed by the government, 
although what the requirements and stipulations of obtaining a license are un- 
clear, Additionally, although no formal policy demands it, Internet cafe owners are 
often coerced through licensing raids into recording customer IDs and maintaining 
them on file. The records are not sent to a central database.^'^ In Iran, ISPs are lia- 
ble for their users’ activity, and are also responsible for recording all user informa- 
tion and IP addresses.^® All Internet traffic is also routed through the Telecommuni- 
cations Company of Iran, so it can easily be monitored.®® In Syria, although other 
ISPs are available, users wishing to use the government-owned Syria Telecommuni- 
cation Establishment (STE) must apply with their government issued identity card 
and supply their username and password.’^® Internet cafes are also heavily mon- 
itored, with cafe managers required to take customers’ personal information (up to 
and including mother’s and father’s names) and to keep a record of what sites their 
customers visit. Additionally, cafe managers must report any overtly illegal activ- 
ity.^i Just like in China, all these identification and tracking requirements must 
lead to self-censorship of politically sensitive speech. 

II. In the United States, a government-mandated Internet identification re- 
quirement would likely violate the First Amendment. 

Anonymity is an important protection to shield the speakers of unpopular or con- 
troversial opinions. It is settled law that the First Amendment incorporates a right 
to speak anonymously.’^^ A government mandated identity requirement would pose 
a significant threat to the ability of users to engage in political speech online. In 
order to place such a burden on the ability of individuals to express political speech, 
the government must show that the proposed burden is the least restrictive means 
of advancing an overriding state interest. Under this standard, a program to deter 
and investigate cyber attacks in which all users are required to identify themselves 
before accessing the Internet is unlikely to be constitutional in practice. 

A. The First Amendment protects the right to speak anonymously online. 

Anonymous and pseudonymous speech has a long history in the United States. 
Before the American Revolution, much political writing was distributed in the form 
of anonymous pamphlets and later, during the debate surrounding adoption of the 
Constitution, the Founders published essays under names such as “Publius,” “Cato,” 
and “Brutus.”"*® In light of this history, the Supreme Court has recognized a First 
Amendment right to anonymous political speech.** As the Supreme Court said in 
the McIntyre case, while this right to remain anonymous “may be abused when it 
shields fraudulent conduct. . .our society accords greater weight to the value of free 
speech than to the dangers of its misuse.”*® Courts have also recognized that in the 
area of speech, the interest in anonymity outweighs other competing interests, such 
as the interests in preventing fraud, false advertising, and libel. *® 

In the current age, the Supreme Courts has recognized the important role the 
Internet plays as a means of communication.*^ People use the Internet for a wide 


3®Reporters Without Borders, Internet Enemies — Burma, at 3, http: I ! en.rsf.org ! internet- 
enemie-burnm, 36676.html. 

Eric Goldstein, et al., False Freedom: Online Censorship in the Middle East and North 
Afriea, Human Rights Watch Vol. 17, No. 10(E) at 33 (2005) (hereinafter False Freedom). 

37 W. 

33 See False Freedom, supra note 36 at 47. 

390pen Net Initiative, Internet Filtering in Iran, 2009, http:! ! opennet.net I sites ! opennet.net ! 
files I ONI -Iran -2009.pdf at 3. 

"^^False Freedom, supra note 36 at 75. 

** Reporters Without Borders, Internet Enemies — Syria, at 3, http:! I en.rsf.org ! IMG ! arti- 
cle -PDF j syria-syria-12-03-2010, 36G89.pdf . 

"^^Mclntyre v. Ohio Elections Comm’n, 514 U.S. 334 (1994). 

*3See McIntyre v. Ohio Eleetions Comm’n, 514 U.S. 334, 368 (1994)(Thomas, J. concurring). 

**/d. at 342. 

*®See id. at 357 (citing Abrams v. United States, 250 U.S. 616, 630-31 (Holmes, J., dis- 
senting)). 

*3 See, e.g., Talley v. California, 362 U.S. 60, 65 (1960). 

*7 See Reno v. Am. Civil Liberties Union, 521 U.S. 844, 870 (1997) (finding that Supreme 
Court precedent “provide[s] no basis for qualifying the level of First Amendment scrutiny that 
should be applied to [the Internet]”). 



114 


range of political and social purposes.^® Through the use of the Internet, “any per- 
son with a phone line can become a town crier with a voice that resonates further 
than it could from any soapbox.” Anonymity is an important part of Internet com- 
munication. “The ‘ability to speak one’s mind’ on the Internet ‘without the burden 
of the other party knowing all the facts about one’s identity can foster open commu- 
nication and robust debate.”®® Knowing they might face retaliation, ostracism, or 
embarrassment, users were forced to identify themselves before engaging in speech 
on the Internet might be deterred from expressing unpopular ideas or seeking sen- 
sitive information.®! As a result of the Internet’s importance as a communication 
tool, courts have extended the protections of the First Amendment, and specifically 
the right to anonymity, to online speech.®® 

B. Courts have found broad identification requirements on Internet use to violate the 
Constitution. 

A broad requirement for all users to identify themselves before being able to ac- 
cess the internet would almost certainly be considered overbroad, insufficiently nar- 
rowly tailored to achieve its purpose, and unconstitutional. In ACLU v. Miller, the 
Northern District of Georgia considered a state law that criminalized knowingly 
transmitting data while falsely identifying oneself.®® The state asserted that the 
statute’s purpose was fraud prevention. The court agreed that this was a compelling 
interest, but held that the statute was not sufficiently narrowly tailored to achieve 
its purpose because the statute would apply whenever anyone falsely identified 
themselves, even when there was no intent to defraud or deceive. Furthermore, the 
court noted that “the act prohibits such protected speech as the use of false identi- 
fication to avoid social ostracism, to prevent discrimination and harassment, and to 
protected privacy. . .”®! As a result, the court held that the statute was overbroad 
and unconstitutional. 

Whereas Miller merely prevented people from falsely identifying themselves, in 
Doe V. Shurtleff the state of Utah sought to require a convicted sex offender affirma- 
tively submit his “internet identifiers” to the state for inclusion in its sex offender 
registry. This would include all of the offender’s email addresses, chat user names, 
instant messaging names, social networking pages, and passwords. Once the infor- 
mation was submitted, there were no restrictions on how the Department of Correc- 
tions could use or disseminate it. There were no statutory limits which prevented 
the Department of Corrections from “using the information to reveal the identity of 
a registrant who had spoken online in a non-criminal manner, or to release the in- 
formation to others who wish to do so.” Although he was a convicted sex offender. 
Doe retained his First Amendment right to speak anonymously online and the stat- 
ute implicated criminal and protected speech alike.®® Thus, the court held that the 
statute was not sufficiently narrowly tailored to achieve its purpose of protecting 
children from Internet predators and investigating online crime.®® 

These two cases show that where the government attempts to install a mandatory 
identification requirement without limits as to how the information can be used, the 
courts are likely to strike the requirement down as overbroad and unconstitutional. 


“^See DAVID KIRKPATRICK, THE FACEBOOK EFFECT: THE INSIDE STORY OF THE 
COMPANY THAT IS CONNECTING THE WORLD 1-8 (describing the use of Facebook to pro- 
mote an anti-FARC group in Columbia). 

*oid. 

^^Doe V. 2theMart.com, 140 F. Supp. 2d 1088, 1092 (W.D. Wash. 2001) (citing Columbia Ins. 
Co. V. Seescandy.com, 185 F.R.D. 573, 578 (N.D. Cal. 1999)). 

®!See McIntyre, 514 U.S. at 334; Am. Civil Liberties Union v. Miller, 977 F. Supp. at 1230. 
s®See e.g., Sinclair v. TubeSockTedD, 596 F. Supp. 2d 128, 132 (D.D.C. 2009) (“Generally 
speaking, the First Amendment protects the right to speak anonymously. Such rights to speak 
anonymously apply, moreover, to speech on the Internet.” (citations omitted)); Doe v. 
2TheMart.com, 140 F. Supp. 2d at 1093 (holding “the right to speak anonymously extends to 
speech via the Internet”); Am. Civil Liberties Union v. Johnson, 4 F. Supp. 2d 1029, (D.N.M. 
1998) (holding that a state statute requiring website operators restrict access to indecent mate- 
rials through use of a credit card, dehit account, or adult access code violates the First Amend- 
ment “because it prevents people from communicating and accessing information anonymously”). 
S3 977 F. Supp. 1228, 1230 (N.D. Ga. 1997) 

^*Id. at 1233. 
ss/d at 21 

ssDoe V. Shurtleff, No. l:08-CV-64 TC, 2008 U.S. Dist. LEXIS 73787, at *23 (D. Utah Sept. 
25, 2008). 



115 


C. Courts have only found Internet identification requirements to be constitutional 
in extremely limited circumstances involving convicted sex offenders. 

The only courts that have found Internet identification requirements not to violate 
the Constitution have been considering extremely limited situations involving the 
tracking of convicted sex offenders on specific websites. The best example of this is 
the sequel to the Shurtleff decision. After the original decision, the Utah le^slature 
went back and amended the statute requiring the sex offender to submit his Inter- 
net identifiers to include new limits on how the information could be used and dis- 
seminated. The Department of Corrections would only be able to use the information 
“to assist investigating sex-related crimes.”®'^ In accordance with Utah’s Govern- 
mental Records and Management Act, they would also be able to disclose the infor- 
mation to the subject of the record, to anyone authorized by the subject, or when 
the information is subject to a court order or legislative subpoena. With these new 
restrictions in place, the court held that the identification requirements “no longer 
intruded into Doe’s ability to engage in anonymous core political speech.” Because 
the information could no longer be used to monitor Doe’s speech, the chilling effect 
on his speech was diminished and the registry was in compliance with the First 
Amendment.®® 

In a similar case. White v. Baker the court struck down a requirement for sex 
offenders to submit all of their Internet identifiers as overbroad, however, it pro- 
vided suggestions for how such a statute would pass constitutional muster. The 
court held that the Georgia statute at issue went wrong by requiring all of the of- 
fender’s Internet identifiers. First, the court noted that “a regulatory scheme de- 
signed to further the state’s legitimate interest in protecting children from commu- 
nication enticing them into illegal sexual activity should consider how and where 
on the internet such communication occurs.” A requirement to turn over all Inter- 
net identifiers would include an offender’s identification on blogs or on shopping 
websites where communication with children would be unlikely or impossible.®^ Fur- 
thermore, there were few limits as to how the information, once submitted, could 
be used or disseminated.®® The statute allowed the information to be used for unde- 
fined “law enforcement purposes” and even to be disclosed to the public. This opened 
up the possibility that the offender’s speech could be monitored by government or 
private citizens, disclosing protected speech that the offender chose to engage in 
anonymously.®'^ Concluding the opinion, the court noted that, because the state had 
a compelling interest, it had the ability to enact regulation, provided it was suffi- 
ciently narrowly targeted at the kind of interactive communications that entice chil- 
dren into illegal sexual conduct and the disclosure provisions of the statute were 
narrowed.®® 

Investigating cyber attacks is a broad use compared to investigating sex crimes 
and one could easily imagine it turning into monitoring of political speech on anony- 
mous message boards or similar communications platforms. This would be an espe- 
cially prevalent concern if the government required individuals to submit all of their 
Internet identifiers, as in White. Finally, there would be the ever-present specter of 
a data breach in the government’s database, thereby risking the exposure of the 
identities and activities of all Americans on the Internet. Given the difficulties in 
narrowly tailoring the law to meet some ill-defined interest in cyber attacks, a man- 
datory identification scheme for Internet use may be possible, but it would probably 
be unconstitutional in practice. 

III. Most research makes clear that attribution techniques have significant 
limitations. 

So far, I have described how countries will deploy Internet attribution techniques 
for purposes unrelated to cyber security. I have also suggested that it would be un- 
constitutional for the United States government to impose an identity requirement 
for Internet users in the United States. Still, there is a clear need in the instance 
of a cyber attack or other types of malicious Internet use to determine the source 
of an attack. As one commentator has said, “[wjithout the fear of being caught, con- 


V. Shurtleff No. l:08-CV-64 TC, 2009 U.S. Dist. LEXIS 73955, at *5 (D. Utah Aug. 20, 
2009) [hereinafter “Shurtleff II”]. 

®®See id. at '*'9-10. 
lioid. 

6<>No. l:09-cv-151-WSD, 2010 U.S. Dist. LEXIS 25679 (N.D. Ga. Mar. 3, 2010). 
ei/d. at 48-49. 

02 Id. at 49-50. 

00 Id. at 50-54. 
oild. at 52. 
ooid. at 55. 



116 


victed and punished, individuals and organizations will continue to use the Internet 
to conduct malicious activities.”®® But the problem is not easily solved. As Internet 
security expert Bruce Schneier has bluntly stated: 

Any design of the Internet must allow for anonymity. Universal identification 
is impossible. Even attribution — knowing who is responsible for particular 
Internet packets — is impossible. Attempting to build such a system is futile, and 
will only give criminals and hackers new ways to hide. . . . 

Attempts to banish anonymity from the Internet won’t affect those savvy 
enough to bypass it, would cost billions, and would have only a negligible effect 
on security. What such attempts would do is affect the average user’s access to 
free speech, including those who use the Internet’s anonymity to survive: dis- 
sidents in Iran, China, and elsewhere.®'^ 

As I said earlier, improved attribution techniques may chill speech, including dis- 
senting speech in repressive political and organizational regimes. This has been ac- 
knowledged by many of the current participants in the cyber security debate. One 
group stated that the absence of attribution, or “non-attribution,” can be “vital to 
protecting radical ideas and minority views in oppressive regimes,”®® and cautioned 
that the “[mjechanisms developed to facilitate attribution must enforce non-attribu- 
tion for the purposes of sharing opinions and ideas.”®® Another group pointed out 
that attribution exposes political dissidents and whistleblowers to potential repris- 
als.'^® The Department of Homeland Security has itself made clear the need to bal- 
ance attribution against the need for anonymity and free speech.'^i 
Second, no matter how good attribution technologies are, attribution will probably 
still fail to identify the most sophisticated attackers. In the words of one expert 
group, “[w]hile anonymizers can be defeated in theory, there are numerous practical 
difficulties to achieving attribution when a sophisticated user desires anonymity.” 
Another commentator notes that “[s]mart hackers . . . route attacks through coun- 
tries with which the target’s government has poor diplomatic relations or no law en- 
forcement cooperation, and exploit unwitting, third-party networks.”'^® Because so- 
phisticated attackers often obscure their trail by routing activities through multiple 
countries, complete attribution capability would require the implementation of co- 
ordinated policies on a near-impossible global scale. 

Finally, improved attribution techniques will probably not be effective against 
non-state enemies, such as the al-Qaeda terrorist network. As an initial matter, 
non-state actors are unlikely to have access to the resources necessary to launch 
successful cyber attacks. As Mr. Knake has said “al-Qaeda lacks the capability and 
motivation to exploit. . .vulnerabilities” in our country’s critical infrastructure.^"*^ 

On the other hand, some scholars believe that terrorist groups may well have ac- 
cess to the sort of sophisticated computer technologies needed to conduct 
cybercrime. Even if terrorists could get their hands on the tools needed to launch 
a successful cyber attack against the United States, improved attribution techniques 
probably wouldn’t help us deter them because one of the biggest problems with non- 
state terrorists is that they aren’t deterred by the threat of retaliation. 

The National Research Council (“NRC”) recently undertook an extensive review 
of cyber security and considered the problem of attribution in several instances.'^® 


®® Jeffrey Hunker, Robert Hutchinson & Jonathan Margulies, Attribution of Cyber Attacks on 
Process Control Systems, in CRITICAL INFRASTRUCTURE PROTECTION II 87. 88 (Mauricio 
Papa & Sujeet Shenoi eds., 2008). [Hereinafter “CRITICAL INFRASTRUCTURE PROTECTION 
11 .”] 

®'*’Bruce Schneir, Schneir on Security: Anonymity and the Internet, Feb. 3, 2010, available at 
http:! / www.schneier.com ! blog ! archives ! 2010 ! 02 ! anonymity -and -t -3.html 

CRITICAL INFRASTRUCTURE PROTECTION 11. 

B^Id. 

70 matt bishop, CARRIE GATES & JEFFREY HUNKER, THE SISTERHOOD OF THE 
TRAVELING PACKETS 4 (2009), available at httpij I www.nspw.org j papers 1 2009 1 nspw2009- 
gates.pdf. 

■'lU.S. DEP’T OF HOMELAND SEC., A ROADMAP FOR CYBERSECURITY RESEARCH 69 
(2009), available at http:! / www.cyber.st.dhs.gov / docs I DHS-Cybersecurity-Roadmap.pdf. 

Hunker, Hutchinson & Margulies, supra note 66, at 91. 

Kenneth Geers, The Challenge of Cyber Attack Deterrence, 26 COMP. L. SEC. REV. 298, 
301 (2010). 

Robert K. Knake, Expert Brief: Cyberterrorism Hype v. Fact, httpij j www.cfr.org j publica- 
tion j 21434 j cyberterrorism-hype -V -fact.html (last accessed July 13, 2010). 

’’^See, e.g., CLAY WILSON, CONG. RESEARCH SERV., BOTNETS. CYBERCRIME, AND 
CYBERTERRORISM: VULNERABILITIES AND POLICY ISSUES FOR CONGRESS 16 (2008), 
available at http:! j www.fas.org j sgp j crs i terror j RL32114.pdf, Geers, supra note 73, at 302. 

•'SNAT’L RESEARCH COUNCIL COMM. ON OFFENSIVE INFO. WARFARE, TECH- 
NOLOGY, POLICY, LAW AND ETHICS REGARDING U.S. ACQUISITION AND USE OF 



117 


The NRC identified three reasons that deterrence by retaliation may be particularly 
ineffective against non-state actors: 

First, a non-state group may be particularly difficult to identify. . . . Second, 
a non-state group is likely to have few if any information technology assets that 
can be targeted. Third, some groups. . .regard counterattacks as a challenge to 
be welcomed rather than something to be feared.^'^ 

The NRC concluded: 

The bottom line is that it is too strong a statement to say that plausible attribu- 
tion of an adversary’s cyberattack is impossible, but it is also too strong to say 
that definitive and certain attribution of an adversary’s cyberattack will always 
be possible.™ 

Based on our review of the costs and benefits of attribution techniques, there are 
a few key points to consider: 

• The attribution of cyberattacks would greatly assist in facilitating counter- 
attacks. 

• The law of war requires an attacked body to attribute the initial attack before 
a counterattack will be permitted. 

• Improved attribution methods would probably increase the ability to deter at- 
tacks; however, deterrence would only be effective against individuals or 
groups who fear retaliation. 

• Attribution of activities carried out over the Internet is extremely difficult, 
and in many cases impossible, to achieve. 

• Improvements to attribution methods will most likely fail to prevent tech- 
nically sophisticated attackers from hiding their identity. 

• Because Internet activity may be routed through multiple countries, including 
those with limited network security resources, complete attribution capability 
will require the implementation of coordinated policies on a near-impossible 
global scale. 

• Improved techniques for achieving attribution of Internet activities will chill 
dissenting speech in repressive political and organizational regimes. 

• Critical infrastructure administrators ought to be more concerned about vul- 
nerability to internal attacks than about vulnerability to attacks from the 
outside. 

Conclusion 

Steve Bellovin, another security expert, noted recently that one of risks of the new 
White House plan for cyber security is that it places too much emphasis on attribu- 
tion.™ As Dr. Bellovin explains: 

The fundamental premise of the proposed strategy is that our serious Internet 
security problems are due to lack of sufficient authentication. That is demon- 
strably false. The biggest problem was and is buggy code. All the authentication 
in the world won’t stop a bad guy who goes around the authentication system, 
either by finding bugs exploitable before authentication is performed, finding 
bugs in the authentication system itself, or by hijacking your system and abus- 
ing the authenticated connection set up by the legitimate user.®° 

While I believe the White House, the Cyber Security Advisor, and the various par- 
ticipants in the drafting process have made an important effort to address privacy 
and security interests, I share Professor Bellovin’s concern that too much emphasis 
has been placed on promoting identification. 

I also believe that online identification, promoted by government, will be used for 
purposes unrelated to cyber security and could ultimately chill political speech and 
limit the growth of the Internet. Greater public participation in the development of 


CYBERATTACK CAPABILITIES (William A. Owens, Kenneth W. Dam & Herbert S. Lin eds., 
2009). 

’’•’Id. at 313. 

™/d. at 41. 

The White House, National Strategies for Trusted Identities in Cyberspace: Creating Options 
for Enhanced Online Security and Privacy (Draft), June 25, 2010, http: 1 1 www.dhs.gov I xlibrary I 
assets / ns - tic.pdf 

Steve Bellovin, SMBlog: Comments on the National Strategy for Trusted Identities in 
Cyberspace, July 11, 2010, http:j I www.cs.columbia.edu I ~smb I blog 1 2010-07 / 2010-07-ll.html 



118 


this policy as well as a formal rulemaking on the White House proposal could help 
address these concerns. 

Thank you for the opportunity to testify today. I will be pleased to answer your 
questions. 


Biography foe Marc Rotenberg 

Marc Rotenberg is Executive Director of the Electronic Privacy Information Cen- 
ter (EPIC) in Washington, DC. He teaches information privacy law at Georgetown 
University Law Center and has testified before Congress on many issues, including 
access to information, encryption policy, consumer protection, computer security, 
and communications privacy. He testified before the 9-11 Commission on “Security 
and Liberty: Protecting Privacy, Preventing Terrorism.” He has served on several 
national and international advisory panels, including the expert panels on Cryptog- 
raphy Policy and Computer Security for the OECD, the Legal Experts on Cyber- 
space Law for UNESCO, and the Countering Spam program of the ITU. He chairs 
the ABA Committee on Privacy and Information Protection. He is a founding board 
member and former Chair of the Public Interest Registry, which manages the .ORG 
domain. Rotenberg is editor of “The Privacy Law Sourcebook” and co-editor (with 
Daniel J. Solove and Paul Schwartz) of “Information Privacy Law” (Aspen Pub- 
lishing 2006). He is a graduate of Harvard College and Stanford Law School. He 
served as Counsel to Senator Patrick J. Leahy on the Senate Judiciary Committee 
after graduation from law school. He is the recipient of several awards, including 
the World Technology Award in Law. 

Chairman Wu. Thank you very much, Mr. Rotenberg. 

Now it is in order for questions, and first I want to note that we 
in Congress sit on multiple Committees, and as is frequently the 
case where there are two flies flying in the Grand Canyon, they col- 
lide, and I have votes occurring right now in my other Committee 
and I will have to excuse myself after asking this first set of ques- 
tions, and I aspire to come back because this is a very, very impor- 
tant topic that I care about very much. 

Secondly, I would like to welcome our friends from Russia TV 
Today. I understand that Russia TV Today has also broadcast one 
of our NASA hearings. It is not unusual for foreign media to take 
a stronger interest in topics of importance to the United States 
more so than American media does at times, and we welcome our 
Russian friends. But we also want to note that the usual process 
is to accredit into the Committee prior to attendance, but you are 
welcome to stay today. 

Now, I think that each of the witnesses referred to both in your 
spoken and oral testimony that there may be some limited role for 
deterrence and that there may be some greater role for attribution 
in protecting legitimate interests on the Internet, but that both de- 
terrence and attribution to different extents are overplayed in the 
current discussion. I would like each of the witnesses to the extent 
you can or want to address first that opening query about deter- 
rence and attribution. 

Mr. Rotenberg. Well, I will jump right in and I am sure the 
other witnesses will make comments. I cited in my testimony the 
conclusion of the National Research Council report because I 
thought this was a very thoughtful point they were making, par- 
ticularly with non-state actors. They said attribution would be dif- 
ficult. We are talking about entities that are typically outside of 
the United States so you would need an attribution technology that 
is global, not easy to identify outside the United States, not much 
of a technical infrastructure, which means that there is not much 
opportunity to respond, and with some of the non-state actors, it 



119 


is not even clear they wouldn’t mind being identified. It is almost 
the exact inverse of the model that we had during the Cold War 
in our relationship with the Soviet Union, and I think the National 
Research Council report makes this point very well. 

Mr. Giorgio. Yes, I would like to add, even in the hearing back- 
ground that was put together by the staff, we talk about attribu- 
tion not only from a point of view of identifying the person who is 
on the other side but perhaps just identifying at least the location 
they are coming from. So if you have a purist view of attribution, 
I certainly agree that it is extremely difficult technologically to 
guarantee you know who the human person is on the other end, 
but that doesn’t mean that some attack attribution technology 
wouldn’t give us lots of information which could be used for other 
purposes such as shutting down the computer at the other end 
independent of who is on it. Thank you. 

Dr. Wheeler. If I may speak as well, as I noted earlier, there 
is no possibility of having absolutely perfect defenses, so I believe 
there is value for attribution. On the other hand, we have to admit 
that attribution itself is difficult and there are some serious limita- 
tions to that as well. You know, attackers can cause attacks to be 
delayed and perform their attacks through lots of intermediaries 
and often can make it very difficult to attribute when they don’t 
want to be attributed. And so basically I think computer network 
defense shouldn’t depend on attribution, it should be part of a larg- 
er strategy having basically multiple tools in the toolbox. 

Mr. Knake. The only comment I would add is that for the last 
decade our strategy for preventing another major terrorist attack 
on U.S. soil has both been effective and does not in any way mate- 
rially rely on deterrence so I think that may be a better model for 
how we deal with the cyber threat, to focus on prevention, to focus 
on protection, to focus on resiliency rather than to focus on trying 
to deter cyber actors. The only other point I would make is that in 
a lot of cases we don’t lack attribution, we lack response options. 
We don’t know what we should do when we discover that the Chi- 
nese have hacked into Google in 30 other countries. We seem to 
have fairly good evidence that they did that. We have traced the 
attack back. We have then asked for an explanation and we have 
not received it. I am not sure how better attribution one further 
layer down would help resolve that problem. Similarly, with French 
intelligence or Russian criminals, Nigerian scammers, we know 
their national origins. We simply lack response options and a 
mechanism for cooperating and requiring cooperation internation- 
ally. 

Chairman Wu. Thank you very much. Because there are votes 
going on and not only votes for me in my other Committee but I 
am told close votes, I am going to ask one further question and 
then I am going to step out and aspire to return promptly after 
those votes. 

Thank you for your answer to the deterrence and attribution 
question and its utility. Following up on that, I think several of 
you, perhaps all of you have noted that to the extent that there is 
a deterrent utility and that there is a capability for attribution, 
that there is also potentially or there is a drastic effect on speech 
and free flow of information, and I think, Mr. Giorgio, you stated 



120 


in your written testimony that there is a necessary tradeoff, and 
I don’t know if others put it quite that crisply, but can you address 
that issue to the extent that we put attributability capability into 
the backbone of the Internet that we would be decreasing anonym- 
ity, freedom of speech and freedom of inquiry? Whoever wants to 
start with that. 

Mr. Giorgio. Chairman, since you referenced me, let me also say 
that I do believe that we need protocols with a lot more privacy in 
them, and I am very troubled by the situation today because frank- 
ly a lot of people learn information about us that they shouldn’t 
need to know in, for example, a financial transaction. So it is very 
important that we build new protocols to protect anonymity or pri- 
vacy, I should say, when it is called for. 

Mr. Rotenberg. I should say also, Mr. Chairman, that many 
businesses that operate on the Internet have identification require- 
ments. In fact, there is a big controversy right now involving the 
company Blizzard, which offers World of Warcraft, and they are 
now requiring the use of true names for people who come in the 
forums and it has, you know, provoked a big discussion about, you 
know, identity requirements as a way to make people a little more 
hospitable online, but the key point here is that whatever decisions 
private companies might make about identification is really very 
different from a government-mandated identification requirement, 
because what a government-mandated identification requirement 
does is basically hold out the specter that if you say something that 
is unpopular and the government can trace it back to you, the gov- 
ernment can hold you accountable, and I think that is really anath- 
ema to our view in the United States of freedom of expression, and 
so it concerns us, of course, that a government-mandated identifica- 
tion requirement wherever it may be imposed in the world could 
have a similar impact on political speech. 

Mr. Knake. I think I would echo those comments, but I would 
also add that I see the equation in need of being reversed. I actu- 
ally think government needs to do a better job of protecting the pri- 
vacy of users in the commercial arena. That is where the biggest 
threat to privacy is today. The reliance on anonymity, which is still 
very, very useful for protecting freedom of speech and is useful for 
protecting freedom to access information, is not useful in the con- 
text of communicating, banking and interacting the way we do on- 
line and increasingly commercial web operators are tracking their 
users without telling them by downloading cookies onto their com- 
puters, some very insidious forms, and using other geolocation 
technologies that your browser, your computer, your Internet serv- 
ice provider and the services that you are using online are all by 
default not going to tell you that that is going on so essentially you 
surrendered your anonymity without knowing it, and in my view, 
government needs to step in to create some form of disclosure that 
is upfront and obvious to the average Internet user that for the 
free content they will be tracked and that will be used to target ad- 
vertising at them. 

Dr. Wheeler. If I may jump in also, first of all, getting back a 
little bit to the original question, clearly attribution technologies 
have potential to greatly harm anonymity, pseudonymity, privacy 
and so on but it is not the same for all the different technologies. 



121 


Some technologies are much riskier than others. I cite probably the 
more egregious example, recording every bit that goes back and 
forth between a user and everything else has radically different ef- 
fects than storing much smaller pieces of information, you know, 
fingerprints and so on. So depending on what is stored and how it 
is stored makes a big difference on the effect on anonymity and pri- 
vacy and pseudonymity. 

Mr. Giorgio. May I make an additional 

Chairman Wu. Mr. Giorgio, yes. 

Mr. Giorgio. Thank you. You know, I think credibility is very 
important when we decide who to listen to, so whether it is the dis- 
tinguished Members of this Committee or my distinguished col- 
leagues, when they speak, I want to listen because I know what 
they have gone to get to the position they are in today. So all of 
that is lost when people speak with anonymity, and so I would — 
and even during emergencies, it would be very important to me, for 
example, if somebody who is reporting from ground zero if I have 
some confidence that they are actually at ground zero. So the credi- 
bility of listening to what people have to say is tied up to some ex- 
tent in being able to attribute who they are, what their past is, 
how they came to be in that position and why we should listen to 
them, and where they are. Thank you. 

Chairman Wu. Thank you all very much. I am going to hand 
over the gavel to the gentlelady from Maryland, Ms. Edwards, and 
before I do that, I will recognize Mr. Smith for his questions. 

Mr. Smith. Thank you, Mr. Chairman, and I appreciate the op- 
portunity, and I would also like to briefly note that it is my under- 
standing a follow-up hearing in which we hear from NIST, the Na- 
tional Science Foundation and other relevant Federal agencies is 
under consideration, and I would certainly like to offer my support 
for holding such a hearing. 

Regarding the questions that I have, I was wondering if you 
could just share what you think are the best methods for tracing 
the attacks, anyone? Maybe start with Dr. Wheeler. 

Dr. Wheeler. That actually turns out to be more difficult than 
you’d like. I would like to give you a very simple, “there it is, there 
is the one solution,” and of course, life is often more complicated 
than we wish it could be. Actually, what is intriguing, when I start- 
ed writing this particular paper that I mentioned earlier and I sub- 
mitted as testimony, I didn’t expect there to be many different pos- 
sibilities to do this, and it turned out in fact there are a very large 
number, and although I haven’t worked on this particular area 
more recently, the number can only go up. So there turns out to 
be a remarkably large number of ways, and unfortunately what it 
really turns out to be is, I suspect people aren’t surprised when you 
go to technologies, there are various tradeoffs. Some of the tech- 
niques are particularly helpful for tracking down what is called de- 
nial of service attacks. You are being attacked, sent a lot of mes- 
sages, maybe from many different places, and there is basically 
constant streaming of data. In that case, the very fact that some- 
one is constantly sending messages to you and trying to overwhelm 
your systems means that you can try to track back, “well, I just 
wait for the next one and start looking backwards that way,” for 
example. But of course, those techniques that depend on that don’t 



122 


work for many kinds of attacks where in fact that isn’t what hap- 
pens, it is a few messages and all of a sudden your systems are 
down or something terrible has happened. So I don’t believe there 
is a single answer. There is a set. And one other good thing about 
that from the point of this particular hearing is that some of them 
are much more egregious or concerning in terms of privacy and at- 
tribution. Probably one of the more extreme examples I guess 
would be what is informally called hack backs where you actually 
say, “I am being attacked, I am breaking into the computers back- 
wards to find out where that comes from.” Unsurprisingly, that is 
severely restricted by U.S. laws, as well it should be. But some- 
times, particularly if those systems are under control of outside 
powers and it is really critically important and nothing has been 
pre-positioned that may be one of the few techniques available. 

I will quickly note, though, that a number of these techniques 
fundamentally require pre-positioning. You can’t wake up in the 
morning and say, “I would like to know where this attack came 
from.” Many of these techniques require systems to be already in 
place before you can do the attribution, and I think that is one of 
the reasons why discussions and hearings like this are necessary, 
because if we the United States wish this kind of capability, we are 
going to need to put things in place and thus that requires this 
kind of discussion that we are having today. 

Mr. Smith. Thank you. 

And since I have limited time, I also want to note, Mr. 
Rotenberg, in your testimony you said that no matter how good at- 
tribution technologies are that it will probably still fail to identify 
the most sophisticated attackers. So I guess I have to ask the ques- 
tion, are our efforts futile, and if other attribution technologies will 
not be able to get the job done, what are the other options for pro- 
tecting us from cyber attacks? 

Mr. Rotenberg. Congressman, thank you for the question. I 
don’t think they are futile, and I think it is important particularly 
for us to improve our security through education and open stand- 
ards. I think it is important to develop better forensic techniques 
so it is possible to trace back attacks, as Dr. Wheeler described. I 
will also mention that, you know, one of the key problems here 
which was uncovered in a workshop shortly after 9/11 that I par- 
ticipated in where people were talking about attribution. Admiral 
Poindexter brought us together and said well, how do we solve this 
problem, and someone said well, you could, you know, hash a per- 
son’s unique DNA against every keystroke so that everything that 
went from your keyboard, every single stroke was uniquely defined 
to, you know, tied to a biometric identifier, and people said “wow, 
we have solved the attribution problem, isn’t that great,” and some- 
one said “well, what if you have a guy standing next to the user 
with a gun telling someone who is authorized to type into the key- 
board, now what do you do?” In other words, you can have perfect 
attribution in a hostage situation, and by the way, probably a good 
plot for a movie, and still not be able to prevent a smart attacker, 
which I think reveals really how difficult this challenge is. I am not 
saying we shouldn’t improve security or pursue good forensic tech- 
niques. I just think it would be a mistake for practical reasons in 



123 


addition to human rights reasons to place too much emphasis on 
attribution. 

Mr. Smith. Okay. Thank you. 

Ms. Edwards. [Presiding] Thank you, and thank you to all the 
witnesses today. I just have basic questions kind of as a consumer. 
All these questions revolve around balancing the need for security 
against the protection of privacy and so where do you strike that 
balance. 

Mr. Rotenberg, I wonder if you could tell me, almost every 
website on the Internet uses cookies to collect data over activity. 
As a consumer I know I get to make a decision, do I really want 
to type in all of that personal information that they ask me or go 
through the list of things until I find out that I actually don’t have 
to give them that information at all unless, if I check the box way 
down at the bottom after scrolling and scrolling and scrolling, and 
then you get free services in exchange for turning over all of your 
information and so there are instances, for example, where the 
user wants to do that and so they make a decision. There are other 
instances for some reason to get something sent to your home, the 
commercial enterprise has to have it, otherwise they can’t mail 
what it is that you want. And so how is that the need to protect 
the user privacy being as important as it is can the Federal Gov- 
ernment help me, the average Internet user, understand what my 
options are and what the consequences are for sharing that infor- 
mation, for sharing it at that moment, but also the longer term 
consequences once that information is housed someplace or other or 
shared with some other source? 

Mr. Rotenberg. Congresswoman, thank you for the excellent 
question. While on the national security side I imagine there is a 
sense that there is not enough attribution, I can tell you on the 
consumer side, there is a sense that there is way too much attribu- 
tion, which is to say that when someone does a Google search, you 
simply type in, you know, apartments, Virginia, because you are in- 
terested in trying to find an apartment in Virginia. I bet no one 
has any understanding or very few people do that at that moment 
in time Google will record the time and the day when the search 
was made, the search query, the cookie tied to the user ID. If they 
have a unique identity, the IP [Internet Protocol] address for the 
device, that will also be recorded. All of this information will be col- 
lected and stored by the company for eveiy single search and kept 
for months and maybe years building this enormous profile, and 
from the privacy perspective, we think that is very invasive. It 
even creates some security risks if the information is misused. In 
fact, part of the great concern about network vulnerability, Google’s 
experience in China was that they essentially lost control over a lot 
of sensitive information because of internal vulnerabilities that 
were exploited. That information that they lost control of included 
a lot of personal data on Google users. So we think on this side, 
the government actually has a role in protecting consumer privacy 
by limiting the amount of data that is being collected and giving 
people more control over that data. 

Ms. Edwards. Thank you. 

And then Mr. Giorgio, you mentioned in your testimony that the 
bulk of the privacy concern is actually directed at our own govern- 



124 


ment. I was reading, I think just in the last day or so, about the 
National Security Agency program. Perfect Citizen, and while there 
is this need obviously to safeguard our infrastructure, whether it 
is our nuclear plants, the power grid, etc., there is a concern that 
using a tool like that could then really impede on all of our indi- 
vidual privacy giving up that anonymity that you have described 
as a constitutional protection but we have to rely on the govern- 
ment to really protect us from all the bad actors. So I wonder if 
you could discuss the difficulties in achieving both security and pri- 
vacy, especially when the bad guy of one concept is the protector 
of the other and in an environment where if the bad guys are oper- 
ating in concert, that is kind of one thing, but we have a whole 
bunch of just bad actors, whether they are from Nigeria trying to 
get my mother’s money or from someplace else, and those set of ac- 
tors may be uncoordinated, they may be individuals, and to draw 
a national security concern around trying to protect against those 
kind of actors is, I think, a little complicated. 

Mr. Giorgio. Yes. Thank you. Congresswoman. I couldn’t agree 
more. When Mr. Rotenberg just made his point, I agree with him 
that we may fear government least of all. It is these companies 
who have all these databases that are a true threat to us. And if 
we look at what is happening in many of these databases that are 
being collected, for example, all the databases that bind our phys- 
ical location to our use of wireless devices such as cell phones, 
these are all in the hands of the private sector, and it is quite easy, 
and in this country they are in the hands of the private sector. I 
wouldn’t go overseas and wander about with a cell phone turned 
out, you know, if I wanted to protect my anonymity or privacy, and 
so I see it over and over again that there is a myriad of bad actors 
out there, the least of which may be government, and as you point 
out, government does have a role to protect our critical infrastruc- 
ture but I am not sure they are the greatest threat to our privacy. 

Ms. Edwards. Mr. Rohrabacher, I think you are up. 

Mr. Rohrabacher. Thank you very much. 

You know, the last point that was made was very interesting. If 
you are in a relatively free society, that may be true. In a relatively 
dictatorial society, the opposite is true. And the idea of how you — 
what you demand of people who involve themselves in this arena 
of affairs in a society, it is a very complicated issue and it is, for 
example, where I happen to believe in the maximum degree of indi- 
vidual freedom. I can also understand that in France, for example, 
they don’t want to say women shouldn’t wear a burka, all right, but 
there are some national security implications to that rather than 
just cultural implications as well. We don’t permit people to go 
around hiding their identity as they are walking around the street, 
or do we? Do we in this society? 

Mr. Rotenberg. Well, it is a very interesting point. Congress- 
man. Actually the United States unlike most other countries does 
not allow its police to ask people on the street to present identity 
documents. 

Mr. Rohrabacher. Right. 

Mr. Rotenberg. There actually has to be some suspicious activ- 
ity that provides a reason for the police to be able to say to some- 
one, may I see, you know, some identification. It is not true in most 



125 


countries. In many countries, you can be asked without suspicion 
to identify yourself. 

Mr. Rohrabacher. I am wondering if a person wearing a mask, 
if that would be suspicious activity. 

Mr. Rotenberg. Yes, it is, and we actually do have anti-mask 
laws in many states in the United States, so that is generally not 
permitted. But as for your identification, that is something that we 
tend to allow people to keep to themselves. 

Mr. Rohrabacher. This is of course what we are talking about, 
cyber attacks. It is very similar to the idea, the challenge faced by 
the entertainment industry of people who are unlawfully making 
copies and downloads of material. I guess that is sort of a cyber at- 
tack. Is there technology that any of you know about that you be- 
lieve that — is this a technological solution rather than a govern- 
ment regulatory solution? 

Mr. Giorgio. So there are problems that require authentication 
and authorization, knowing who people are and what they have ac- 
cess to do, and there is a tremendous amount of very good security 
research and in fact solutions today that provide these strong ac- 
cess controls. Digital rights management, which protects music, 
you know, is one form of those controls. The goal of those controls 
is not dissimilar to the DoD goals of trying to protect information. 
So as technology gets developed in various places, it is frequently 
leveraged for other purposes. 

Mr. Rohrabacher. Is the technology solution a wall or is it a re- 
taliatory strike, you might say, against someone who has come into 
your system? 

Mr. Rotenberg. Well, in the copyright arena, it is actually a 
tracking technique. As Mr. Giorgio mentioned, digital rights man- 
agement is much like a watermark and it basically allows an entity 
both to assign its ownership of a product, of a digital product and 
also identify who the appropriate user is. So if it is in the posses- 
sion of someone who didn’t properly acquire the song or the movie, 
they will essentially be tracked down through that digital water- 
mark. 

Mr. Rohrabacher. Is it possible in dealing with the hackers and 
dealing with these types of cyber attacks to have a situation if 
someone doesn’t have an authorization to be where they are elec- 
tronically that there is an instant retaliation against their own 
equipment, meaning a disintegration of the system that is the vehi- 
cle for this aggression? 

Mr. Giorgio. So that capability is possible. You know, whether 
or not it is actually done anywhere, I don’t know. 

Mr. Rohrabacher. Is that something that we should strive for? 

Dr. Wheeler. This is David Wheeler. Is it possible? I agree with 
him, yes. Should we do it? I would be extremely hesitant. As I 
noted in my paper, attribution is something that although it can 
be done, there is also the risk of misattribution, and indeed, for 
some attackers, that may be actually their primary goal is to try 
to accomplish misattribution, perform their attack and cause 
misattribution of the attack. 

Mr. Rohrabacher. Oh, I see. 

Dr. Wheeler. And so therefore that doesn’t mean under no pos- 
sible circumstance could we never imagine this but I would be very 



126 


hesitant about installing such an automatic counterattack system 
generally for most kinds of — you know, certainly for military sys- 
tems you want a human in the loop double-checking first. 

Mr. Rohrabacher. Well, just one note, and I know my time is 
up after this, and I don’t know how to pronounce your — is it 

Mr. Knake. Knake. 

Mr. Rohrabacher. Say it again. 

Mr. Knake. Knake. 

Mr. Rohrabacher. Okay. I have surfer’s ear in this ear and I 
have trouble 

Mr. Knake. I am sorry. It is Knake. 

Mr. Rohrabacher. Knake. You mentioned that efforts made 
after 9/11 actually identifying methodologies actually had a major 
impact in preventing another 9/11. I would suggest it is not just 
identification, however. It is identification and retaliation. If we 
just had identified potential al Qaeda terrorists since then and let 
them be, we would have had another 9/11. We aggressively sought 
them out and in some cases killed them, which was good, or sent 
them to Guantanamo, which is debatable, but there was actually 
an action taken so the identification isn’t the only step that needs 
to happen if we are to protect ourselves from the electronic type of 
aggression. You can answer that if you would like. 

Mr. Knake. Thank you, sir. I think that is absolutely right, and 
I think I would go a step further. Prior to 9/11, the United States 
roving ambassador for counterterrorism, Michael Sheehan, deliv- 
ered a very stern message to the Taliban which was essentially, if 
we are attacked by al Qaeda who plan their attack on your soil, 
we will hold you responsible for that. The Taliban did not get that 
message until after 9/11 but we followed through on that. So essen- 
tially we assigned responsibility to the Taliban for the activities 
carried out by a terrorist organization on their soil. Their failure 
after 9/11 to cooperate with apprehending bin Laden resulted in 
the invasion of their country. So I think it is actually very analo- 
gous to the situation we want to move to in cyberspace where if 
a country refuses to cooperate in an investigation that attributes 
the attack to a system or an individual in their country, we in turn 
hold them responsible for it. 

Mr. Rohrabacher. Thank you very much. That was very astute, 
and I appreciate you permitting me. Madam Chairman, the right 
of questioning because I am not a member of this subcommittee. 
But thank you for allowing me to do that. 

Ms. Edwards. Thank you, Mr. Rohrabacher. 

I just have one question. We are going to take one question. We 
have been called for votes. The Chairman will come back and so 
we are actually going to recess. He is on his way back and so I am 
just going to stall and ask my question. 

Mr. Giorgio, it is actually an important question. You discussed 
the need for standards in a lot of areas and you say that govern- 
ment should actually invest in this development but allow stand- 
ards development organizations like the Internet engineering task 
force to develop them through normal processes, but Mr. Knake 
has testified to the difficulties involved in using these processes to 
produce standards, specifically new protocols and advocates for 



127 


more government involvement. How can the Federal Government 
better protect the development of consensus-based standards? 

Mr. Giorgio. So Mr. Knake is quite accurate on that point. It is 
extremely difficult to get these standards pushed through the 
standards bodies, even when various governments are behind 
them. So I think — but first and foremost we have to develop the 
technology that will allow us to propose those standards in the first 
place. In parallel, we have to work with the standards committees, 
however difficult that is, and try and influence the course of those 
standards. 

Ms. Edwards. Mr. Knake, there are just so many different agen- 
cies, though, whether you are talking about the DoD, the FBI, I 
mean, just all of these various agencies that all use so many dif- 
ferent tools. I mean, it does feel very daunting to then create a 
standard for the multiple tools that are used within these agencies. 
Do you have any comment about that? 

Mr. Knake. I certainly would recognize the problem that you are 
highlighting. I think in a couple of areas, however, it is a narrower 
issue, particularly for the main suite of Internet protocols which 
are universal, and I think we have a fairly good set of what are 
the security problems with those protocols and how they should be 
addressed, essentially how do we secure them to a standard to 
which they cannot be abused but not to a standard in which attri- 
bution becomes ironclad across the Internet, and so that is the area 
where I think we need to return to a situation of more government 
intervention. These protocols were initially developed for the De- 
fense Department with U.S. government funding. I think a similar 
initiative now would be in order in an effort to address the 
vulnerabilities that were introduced in that original protocol suite. 

Ms. Edwards. Thank you very much, and I see the Chairman 
has returned and so I will let him take it from here, and thank you 
very much. 

Chairman Wu. We have about seven minutes before Floor votes, 
and I frequently talk about having three rings going in this par- 
ticular circus at any given time, at least when we are here in 
Washington, and that is why it takes more time when we are home 
in our districts because we can only do one thing at a time there. 
I have several more questions. If the minority does not, I will try 
to get my questions in before we go vote on the Floor, but let us 
see how we do. 

Based on both your spoken but particularly your written testi- 
mony, I get the impression that you all are of the opinion that 
there is limited utility of any particular security technique, and 
that some combination of techniques would afford us potentially 
the best combination of security and privacy. Is that roughly accu- 
rate? 

Mr. Rotenberg. Yes. 

Dr. Wheeler. Yes. 

Chairman Wu. Okay. If that is the case, is it further sort of what 
you overtly state or what you imply that perhaps we have a system 
of networks in our country or in the world which are best served 
by different degrees of security and privacy/anonymity, that is, we 
might set a different standard for those networks dealing with pub- 
licly available information or journalism or blogs and opinions, we 



128 


might set a higher standard for networks dealing with utilities, the 
power grid or banking or financial transactions and we might set 
again an even higher standard for, let us say, DoD or NSA types 
of networks. Can you address that? 

Mr. Rotenberg. Well, Mr. Chairman, I think there are a couple 
different ways to think about it. Certainly we have within the 
United States and in the military community, for example, secure 
networks that are essentially not connected to the public open 
Internet, but with respect to the public open Internet, I think as 
much as possible we want to keep systems connected because of all 
the benefits that the Internet provides and place the added security 
obligations at the end points. In other words, if there are applica- 
tions or organizations or entities that have needs for enhanced se- 
curity, for example, a password and user ID is a simple one, you 
know, place the responsibility there, and as much as possible main- 
tain the common protocols of the public Internet for general use. 
Now, that is not to say, as I said at the outset, that clearly there 
will be segregated networks for specialized purposes but I am con- 
cerned as, you know, Vint Cerf and others have expressed concern 
about the possible balkanization of the Internet if we start carving 
things up too much. Literally separating parts of the network out 
from other parts, we will lose a lot of the benefit. 

Mr. Giorgio. Sir, I am on the DARPA [Defense Advanced Re- 
search Projects Agency] oversight board with Vint Cerf on an issue 
related to this, and I completely agree with Mr. Rotenberg that, 
you know, we have to preserve as much as possible for common 
use, okay? However, when somebody is providing a service at one 
end of the network and somebody somewhere else in the world is 
trying to use that service, it is the responsibility of that endpoint 
to enforce the protocol that they will demand that person to use. 
So they might be on the same backbone but we might have very 
different protocols running through that and effectively have dif- 
ferent networks, but we don’t want to physically separate them, 
and I think Marc said the same thing. 

Dr. Wheeler. If I can jump in here also, I very much by the way 
agree that there are different levels of anonymity, privacy desires 
comparing, say, the public Internet versus, say, you know, a net- 
work inside the DoD that involves classified information or weap- 
ons systems or something. You would expect a whole lot less ano- 
nymity in the latter situation. I think the interesting thing is that 
there is somewhat odd good news that attribution often tends to be 
a lot easier against insiders. We were talking about this before 
while you were out. Congressman Wu, but many of these attribu- 
tion technologies fundamentally require pre-positioning. You have 
got to put the technology in place ahead of time. That tends to be 
easier to do inside a smaller closed network. The DoD is of course 
large but nevertheless it is certainly not as large as, say, the 
United States as a whole or some such and therefore when you 
have a smaller network, you can treat it as inside an organization. 
It is much easier pre-positioning things. And so in that sense, at 
least, you can put attribution technologies available that perhaps 
at least will tell you well, he is inside and there he is, or he is out- 
side and now at least maybe I should start closing off the gates for 
them to come inside. 



129 


Chairman Wu. Some of you have addressed the need for stand- 
ards for the operation of anonymity services like Hotspot Shield, 
and I think the argument is that because these services make it 
easier for folks to do all sorts of things anonymously that there is 
an interest in different forms of access or identifiers in order to 
gain this level of anonymity, and there may be a difference of opin- 
ion on this issue and I would like to have that specifically ad- 
dressed. 

Mr. Rotenberg. Well, let me say that, you know, pure anonym- 
ity means that you really can’t trace back to the user. Now, there 
are a lot of escrow-style configurations where you can allow people 
to conceal their public identity but still put a responsibility on a 
service provider to say, for example, with a warrant we now need 
to know who this person is and this isn’t true anonymity but it 
gives, you know, many of the elements of anonymity. Here is the 
hard problem. You know, true anonymity, which we think is impor- 
tant, will protect the political dissident in a country that is hostile 
to the person’s views and may in fact imprison the person if his 
identity is known. Pure anonymity will also protect the pedophile 
who is trying to distribute images on the Internet and should be 
prosecuted and imprisoned. And do you see in this one tool, you 
know, there is one application that we would value very much and 
another application that we would try to prevent, and if we go the 
half step in and we say, well, maybe we should allow this through 
a pseudonym escrow service, it will be easier to catch the person 
engaging in the transfer of child pornography but it will also be 
easier to catch the human rights advocate. It is not a simple prob- 
lem. 

Chairman Wu. Well, that is what I was thinking about in read- 
ing the testimony. One of the trapdoors is, if you get a legitimate 
judicial decree asking for identification in connection with a crime, 
well, we in our society would view pedophilia as very legitimate for 
such a judicial decree, and it is my impression that there are other 
countries where for what we view as vague crimes like breach of 
state security which can cover a whole host of activities that in this 
country we view as legitimate that that may result in the issuance 
of a valid judicial decree, and the question is, how does the third 
party respond to such a judicial decree which on its face these two 
decrees are indistinguishable? 

Mr. Rotenberg. That is the dilemma. 

Mr. Giorgio. I think we need to rely on other types of third par- 
ties in these circumstances. It might be perfectly okay for me to 
positively identify myself to my identity provider but then perhaps 
that identity provider could enable me to talk to a search agent, 
for example, and maintain my privacy. The identity provider might 
be blind to everything I do and the search — the service doing the 
searching for me doesn’t know who I am but yet because that pri- 
vacy is provided to me by a third party. 

Mr. Knake. I would only add that if what you are looking for is 
anonymity, there is a limited number of reasons that you really 
need that. It is freedom of speech, it is access to information. So 
restricting the ability to use these services for transactions can cut 
down on a lot of criminal behavior and a lot of network infiltration. 



130 


Chairman Wu. If there is no further answer on this question, the 
rules of this Committee preclude us from recessing and recon- 
vening without a minority Member present, and since that appar- 
ently is not possible, I am going to adjourn this meeting momen- 
tarily. I do want to point out — well, there are many additional 
questions, many additional topics to be covered. You all have pre- 
pared very thorough presentations, and it is normally the practice 
of this Subcommittee in addition to asking many questions to give 
you all an opportunity to say anything in addition that has not 
been asked. We apparently will not have that opportunity today. 
There will be written inquiry of each of you. In particular I am cu- 
rious as to the confidence that the legal analyses that some of you 
all have presented, your level of confidence since these are district 
court opinions, and I also want to commend the law clerks for hav- 
ing done a fine job. I just want to add that I think there is enough 
material here for an interesting law review note or maybe several 
law review notes, and also in particular I would like to have ad- 
dressed the role of international agreements, international stand- 
ards and agreements about what constitutes a breach, what con- 
stitutes an attack, and what kind of standards there should be for 
the various technologies for attribution or otherwise, and finally, I 
think that addressing the issue of standards in general needs to be 
further fleshed out. 

I want to thank you all for your presence, for your tolerance for 
the wrinkles in Congressional operation, and as I said to some of 
you before the hearing began, you prepared very, very thoughtful, 
thought-provoking and dense materials. It is as if I were trying to 
reduce to five or ten pages how Congress really works, the version 
that is not in your high school civics textbooks. It would require a 
lot of parsing of what is between the lines. 

I want to thank you all very much for being here today. The Sub- 
committee hearing is adjourned. 

[Whereupon, at 11:19 a.m., the Subcommittee was adjourned.] 



Appendix: 


Answers to Post-Hearing Questions 


( 131 ) 



132 


Answers to Post-Hearing Questions 

Responses by Dr. David A. Wheeler, Research Staff Member, Information Technology 
and Systems Division, Institute for Defense Analyses 

Questions submitted by Chairman David Wu 

Ql. Information sharing is critical for success in cybersecurity, whether it supports 
attribution of attacks or awareness of vulnerabilities. How important is it to 
have common nomenclature, common metrics, and standard sharing methods 
for success in information sharing? How should these different elements be de- 
veloped, which government agencies should be involved, and what roles should 
they play throughout the process? 

Al. In any technical endeavor it is important to have some common nomenclature, 
common metrics, and standard sharing methods in the areas most important to the 
task. In many cases these should be developed through a partnership between gov- 
ernment, industry, and academia. The government organizations that should be in- 
volved should include those in charge of defending the country and/or involved in 
information technology (IT) standards. These government organizations include the 
Department of Defense (DoD), the Intelligence Community (IC), the Department of 
Homeland Security (DHS), and the National Institute of Science and Technology 
(NIST). 

Q2. Many of you have discussed the need for new internet protocols to be built on 
the concepts of security, authentication, and attribution. What parties would 
help develop and implement these protocols and what would their roles be? Who 
would use these new protocols and would multiple protocols diminish the utility 
of the internet? 

A2. I do not believe there is a need to replace the existing suite of Internet (“TCP/ 
IP”) protocols with radically different protocols. Even if this were desired, the cost 
and effort to make this switch would exceed any likely benefits. For example, orga- 
nizations are currently adding support for version 6 of the Internet Protocol (IP), 
in addition to version 4, yet this minor change is taking more than a decade to com- 
plete. Thus, instead of wholesale replacement, there is primarily a need to develop 
new protocols (for new functionality) that build on top of the existing protocols. In 
a few cases there may need to be extensions of existing protocols (to add new capa- 
bilities) but this is still different from replacement. 

There are already standards-setting bodies whose purpose is to develop and pro- 
mulgate Internet protocols, such as the Internet Engineering Task Force (IETF) and 
the World Wide Web Consortium (W3C). The government, industry, and academia 
should gather within these standards-setting bodies help develop the specifications 
of these protocols. Where attribution-related standards are involved, “attribution 
techniques that pose less danger to privacy should be the ones most encouraged.” ^ 
The internet already has many protocols; as long as each protocol performs a spe- 
cific task not performed by others, this is not a problem. However, having multiple 
incompatible protocols with the same functionality does bear the risk of diminish 
the utility of the internet, due to incompatibilities between parties. 

The key mechanism to countering such incompatibilities is for users to insist that 
their systems, including all network protocols, must be built using open standards. 
“Standards should be publicly defined and held. This way, no single vendor controls 
others, permitting competition.” ^ Any patents possibly present on parts of the 
standard must be made irrevocably available on a royalty-free basis. This is because 
a “standard that cannot be implemented without a patent license gives a special ad- 
vantage to the patent holder(s). Such patents constrain or prevent competition, and 
thus undermine the advantages of standards listed above” ®). There must be no con- 
straints on the use and re-use of the standard (since such constraints would threat- 
en to balkanize the Internet). The standard’s specification document should be avail- 
able without fee over the Internet (the IETF and W3C already do this), enabling 
all to copy, distribute, and use the standard freely."* 


1 Wheeler, David A. and Gregory N. Larsen, “Techniques for Cyher Attack Attribution,” Insti- 
tute for Defense Analyses Paper P-3792, October 2003 (hereinafter referred to as “IDA 2003 
”). Section 3.13. 

2 [IDA 2003], section 3.7. 

^ [IDA 2003], section 3.7. 

*This definition from Digistan is available at http:/ 1 www.digistan.org I open-stand- 
ardidefinition, and is a clarification of the definition by the European Union (EU) European 
Interoperability Framework (EIF). 



133 


Many attribution “techniques are immature and will require funding before they 
are ready for deployment. If the [government] wishes to have a robust attribution 
capability, it must be willing to fund its development and deplo 3 mient.”® 

Q3. Please discuss how the level of confidence can have an impact on the utility of 
attack attribution. Please relate the level of confidence to the spectrum of avail- 
able responses including diplomatic, economic, cyber, and kinetic. 

A3. Responses that are especially damaging or non-reversihle, such as kinetic re- 
sponses, should he avoided unless the attribution confidence is extremely high, typi- 
cally through confirmation by multiple methods. 

One issue that must be kept in mind is that attackers may “wish to cause 
misattribution as their primary purpose, rather than actually be successful at the 
attack. For example, if there is already tension and conflict between two adversaries 
(e.g., two countries A and B), a third party (C) could try to attack one (A) and cause 
the attack to be misattributed to the other party (B). Thus, the third party could 
escalate a conflict between others simply by forging attacks.”® 

Ideally, “an attribution process would also report the confidence level in the attri- 
bution, but this information is often not available.”^ In some cases, using multiple 
techniques and using techniques that resist misattrihution can increase confidence. 
Fundamentally, however, “computer network defense should not depend on attribu- 
tion. Instead, attribution should be part of a larger defense-indepth strategy.”® 

Q4. Are there any other thoughts or issues you would like the share with the Com- 
mittee on attack attribution and cybersecurity? 

A4. As noted in my paper, a good first step would be to “change the terrain” of our 
computer networks so that attacks are less likely to be successful or are more dif- 
ficult to hide. We need to harden our information technology (IT) systems (including 
clients, servers, and network components) to resist attack far better than they cur- 
rently do. This is partly because this reduces the need for attribution, and partly 
because this makes them more difficult to exploit as intermediaries. We should 
harden our routers and hosts so that attrihution is easier (e.g., limit the use of 
spoofable protocols and disable broadcast amplification/reflection). Finally, we 
should consider implementing network ingress filtering on government networks at 
all levels, so that data packets cannot cross between networks unless they truly 
could be from the claimed network.® 

We should decrease the number and impact of vulnerabilities in commercial soft- 
ware (both proprietary and open source software) we use, via: 

1. Education. We should try to ensure that all software developers know how 
to develop secure software. This knowledge includes knowing the common 
mistakes and methods to prevent these mistakes. Since the U.S. economy de- 
pends on software and nearly all software connects to a network or uses data 
from a network, practically all software developers now need this knowledge. 
Unfortunately, secure software development education is often available only 
as an optional graduate-level course. 

2. Improved tools and standards. We should enhance software development 
tools (such as programming languages and key libraries) and their standards 
so that writing secure software is much easier, mistakes leading to 
vulnerabilities are much less likely, and mistakes are easier to detect before 
the software is released to users. 

The government should consider becoming even more involved in the development 
and deployment of open standards. It is currently government policy to encourage 
the use of commercial items where applicable, for reasons that are well-understood. 
However, commercial items are less likely to support government needs and con- 
cerns if the standards they are based on were not developed with those consider- 
ations. The government has unique needs and concerns, both as a user and as a 
representative for the people of the United States, including issues around 
cybersecurity, privacy, and anonymity. It should be noted that in some cases the 
government is already involved in standards development, and in some cases the 
government asks if the commercial products it buys meet the relevant standards. 
However, to ensure that commercial products will be suitable for its own use and 
use in the country, the government should ensure that it has “a seat at the table” 


® [IDA 20031, section 4. 

6 [IDA 2003], section 3.15.3. 
niDA 2003], section 3.15.3. 
s [IDA 2003] section 4, conclusion 2. 

®See [IDA 2003], especially section 4, conclusion 6. 



134 


when key information technology standards are set, ensure that those standards are 
open standards, and require that the commercial items it purchases correctly imple- 
ment the relevant standards. 

Questions submitted by Vice Chair Ben R. Lujan 

Ql. The Fourth-generation of cellular wireless network standards being developed 
uses the internet protocol suite and would extend the internet to cellular devices. 
What are the implications of this 4G standard for this discussion on privacy and 
attribution? 

The Internet protocols have long been demonstrated and used for wireless commu- 
nication. Indeed, DARPA experiments in the 1970s demonstrated that packet radio 
networks could interact with other networks using protocols that eventually became 
the Internet protocols. However, I have not evaluated the 4G standards in depth for 
their implications on privacy and attribution, so I cannot give a specific answer 
about the 4G standards. If the government is concerned about the privacy or attri- 
bution affects that 4G standards could have on itself or its citizenry, it should be 
involved in the development of those standards. 



135 


Answers to Post-Hearing Questions 

Responses by Mr. Robert Knake, International Affairs Fellow, Council on Foreign Re- 
lations 

Questions submitted by Chairman David Wu 

Ql. Information sharing is critical for success in cybersecurity, whether it supports 
attribution of attacks or awareness of vulnerabilities. How important is it to 
have common nomenclature, common metrics, and standard sharing methods 
for success in information sharing? How should these different elements be de- 
veloped, which government agencies should be involved, and what roles should 
they play throughout the process? 

Al. In my view, we need to move beyond information sharing as the answer to ad- 
dressing cybersecurity. Along with “public-private partnerships”, information shar- 
ing has been called out as the solution to cyber security for the last two decades. 
The idea is that once companies and individuals are informed about threats and 
vulnerabilities, they will be armed with the information they need to improve secu- 
rity. That was a good theory but it is one that has turned out to be proven wrong 
by the facts. Information sharing is in fact quite good in cybersecurity. At last count, 
there were more than thirty partnerships between the Federal Government and the 
private sector to share information on cyber security. The National Institute of 
Standards has done a excellent job of providing standard nomenclatures for policy 
makers and practitioners. Efforts such as the National Vulnerability Database and 
the Common Vulnerabilities and Exposures naming standard provide the technical 
means for exchanging information. Information sharing is good. It is getting better. 
We now need to take a hard look at why better information sharing hasn’t led to 
better cybersecurity and then develop remedies. 

Q2. Many of you have discussed the need for new internet protocols to be built on 
the concepts of security, authentication, and attribution. What parties would 
help develop and implement these protocols and what would their roles be? Who 
would use these new protocols and would multiple protocols diminish the utility 
of the internet? 

A2. I believe that the current iterative, consensus-based process through the Inter- 
net Engineering Task Eorce for the development of protocols is broken. By way of 
example, look at DNSSEC. The security flaws in the Domain Name System (DNS) 
that DNSSEC is designed to address were first discovered in 1990. It took another 
decade to develop the first specification for DNSSEC. In 2010, we are just taking 
the first meanin^ul steps to implement the solution and it will likely take another 
decade for widespread adoption. In my view, government needs to set the goals, 
fund the research, and then require implementation. The argument that the pace 
of innovation is too fast for government regulators to keep up with is patently un- 
true given the thirty-year timeframe to develop and implement DNSSEC. I believe 
that the U.S. government should layout a technical challenge to the IETF on a strict 
timeframe to develop a secure suite of protocols, fund the development, and require 
implementation. 

Q3. Please discuss how the level of confidence can have an impact on the utility of 
attack attribution. Please relate the level of confidence to the spectrum of avail- 
able responses including diplomatic, economic, cyber, and kinetic. 

A3. With existing technologies, we can have a high degree of confidence in our abil- 
ity to trace an attack back to a system. The difficulty is in determining both the 
originating system and the human at the keyboard. In almost every conceivable 
cyber attack, we will be able to trace the attack back to at least the first system 
and then ask the host country for assistance with further investigation, if they 
refuse, we can say with confidence that they are uncooperative and assign them re- 
sponsibility. Ultimately, attribution back to the originator of the attack may take 
time, particularly for the President and Congress to authorize diplomatic, economic 
or kinetic responses outside the cyber domain; however, as in our response to the 
terrorist attacks of 9/11, we may respond “at a time of our choosing”, once we have 
enough confidence to act. 

Q4. Are there any other thoughts or issues you would like the share with the Com- 
mittee on attack attribution and cybersecurity? 

A4. Not at this time. 



136 


Questions submitted by Vice Chair Ben R. Lujan 

Ql. The Fourth-generation of cellular wireless network standards being developed 
uses the internet protocol suite and would extend the internet to cellular devices. 
What are the implications of this 4G standard for this discussion on privacy and 
attribution? 

Al. I am not familiar enough with this issue to provide a meaningful response. 



137 


Answers to Post-Hearing Questions 
Responses by Mr. Ed Giorgio, President and Co-Founder, Ponte Technologies 

Questions submitted by Chairman David Wu 

Ql. Information sharing is critical for success in cybersecurity, whether it supports 
attribution of attacks or awareness of vulnerabilities. How important is it to 
have common nomenclature, common metrics, and standard sharing methods 
for success in information sharing? How should these different elements be de- 
veloped, which government agencies should be involved, and what roles should 
they play throughout the process? 

Al. Common nomenclature and metrics are extremely important to move the cur- 
rent state forward. Standards have been very difficult to achieve in this area due 
to the vested interests of the private security service companies who want to develop 
these standards as their individual intellectual property and only make them open 
source after they have achieved sufficient market penetration. In some cases these 
private companies have no interest in standards at all because they don’t want their 
systems to easily interoperate with competitor systems as that might cause them 
to eventually be marginalized. This resistance can be overcome by government ac- 
tivities such as the Security Content Automation Protocol (SCAP) currently under- 
way by NIST, NSA, and others. 

SCAP details can be found on the NIST web site. In short, SCAP is a synthesis 
of interoperable specifications derived from community ideas and is initially focused 
on vulnerability management. Subsequent activity will expand to include compli- 
ance, remediation, and network monitoring. Existing SCAP standards include Com- 
mon Configuration Enumeration (CCE) , Common Vulnerabilities and Exposures 
(CVE), Open Vulnerability and Assessment Language (OVAL), Common Vulner- 
ability Scoring System (CVSS) and others. 

Q2. Many of you have discussed the need for new internet protocols to be built on 
the concepts of security, authentication, and attribution. What parties would 
help develop and implement these protocols and what would their roles be? Who 
would use these new protocols and would multiple protocols diminish the utility 
of the internet? 

A2. As mentioned in my testimony, government cannot by itself mandate changes 
in underlying infrastructure technologies (Ex. IPv6). DARPA, NSA, NSF, and the 
research elements supported by the Comprehensive National Cyber Initiative all 
should be working to research and develop new capabilities. These could be re- 
searched, designed, implemented, piloted, and ultimately become operational on 
DoD and Intelligence networks, where attack attribution is far more important. 

New protocols based on the above research should be introduced through the 
IETF, as this process is the most likely to encourage commercial acceptance and de- 
ployment into worldwide networks. For security standards or algorithms, NIST is 
the appropriate agency. 

As for using multiple protocols, we’ve done this for decades with considerable suc- 
cess. The challenge is to make sure that different protocols complement each other 
rather than cause uncertainly, confusion, and even counter productivity. The way 
to reduce this risk is to make sure the standards development processes are not 
done in isolation as has frequently happened in the past. 

Q3. Please discuss how the level of confidence can have an impact on the utility of 
attack attribution. Please relate the level of confidence to the spectrum of avail- 
able responses including diplomatic, economic, cyber, and kinetic. 

A3. If we have a legally meaningful level of confidence in attack attribution then 
the utility of this goes beyond mere attribution, as some would-be attackers will be 
deterred by the ramifications of that attribution. We should have fine-grained con- 
trol over what level of identification and authentication we require before access is 
granted. This in turn will give us control over the level of confidence we have in 
attribution. Perhaps for a low value target we would just accept that it’s going to 
be attacked and not bother so much with attribution. 

The level of confidence one can have using attack attribution technologies varies 
dependent on the: 

1. Type of hardware the attack is emanating from, 

2. Specific operating system and application software in use, 

3. Level of user authentication used on that system. 



138 


4. Internet protocols, including security protocols such as IPSEC, and 

5. Cooperation from the Internet Service Providers (ISPs) 

If the identity of the individual is required, that is harder than just knowing the 
machine from which the attack is emanating, and that, in turn, is much harder 
than knowing the geo-location of the that machine. As mentioned in my testimony, 
trying to pinpoint the exact individual who is willfully committing the attack cannot 
be done with a high level of confidence due to problems with the security on the 
system the attack is emanating from. 

Consideration of all the above attributes will be required to obtain a level of con- 
fidence suitable for the appropriate diplomatic, economic, cyber, and kinetic re- 
sponse. A diplomatic response such as a formal state department demarche does not 
appear to be much of a deterrent at all, as countries like China and Russia will sim- 
ply deny it. Economic responses could be very valuable, but will require an inter- 
national approach which does not impinge on the individual nation state sov- 
ereignty. Cyber responses are certainly unclear as to their effectiveness, especially 
since the U.S. is the most dependent on cyber and has the most to lose in a cyber 
conflict. Finally, a kinetic response of course escalates any cyber attack to a much 
higher level conflict and cannot be done without absolute certainty of where the at- 
tack is coming from. Even then, I doubt there would be much national or inter- 
national support for such an action and this response should be avoided. 

Lastly, in answering this question, it is important that research & development 
be done in all the five areas listed above as advances in these areas will both stop 
some attacks and deter others. DARPA, NSF, NIST, and NSA all have a role in ac- 
complishing this. 

Questions submitted by Vice Chair Ben R. Lujan 

Ql. The Fourth-generation of cellular wireless network standards being developed 

uses the internet protocol suite and would extend the internet to cellular devices. 

What are the implications of this 4G standard for this discussion on privacy and 

attribution^ 

Al. There has been an explosive growth in the availability of location databases 
that associate building and emitter identifiers (IDs) with geographic coordinates. 
While these capabilities are assisting in solving the attribution problem, they are 
also enhancing criminal activity and adversely impacting our personal privacy and 
national security. This is especially troublesome since the data is (primarily) in the 
hands of private and frequently multinational corporations. 

Examples of these data bases include information about 4G cell phones & PDAs, 
IP addresses, WiFi and WiMax emitters, cell towers, routers, gateways/points of 
presence, physical addresses, among others. Additional clues to location can be de- 
rived from the above plus timing calculations and measurements within data and 
voice traffic. 

These data bases exist in many different forms today and are perpetually up- 
dated, some in real-time. Furthermore, these data bases are held in the hands of 
multiple distinct parties, including: 

1. Classified government data bases 

2. Private commercial data bases (e.g., cell phone, PSTN, ISP, and utilities), 

3. Open-source data bases (e.g., Internet registrars, Google Maps), 

4. Unclassified (but sensitive) government data bases, and 

5. Foreign government or foreign corporate data bases. 

For example, the above data bases can be correlated and combined to discern co- 
ordinates for various scenarios, such as tracking individuals in real-time by over- 
laying their current position on a satellite image or street view to follow their every 
movement and make notes of where they went, at what time, who they met with, 
who they emailed or phoned, what they purchased, and so on. As mentioned in my 
testimony, these capabilities pose both an opportunity to do attribution when we 
need it, but a potentially catastrophic vulnerability when it is used for foreign cyber 
attacks, corporate espionage, criminal activity, and, potentially, terrorism. 



139 


Answers to Post-Hearing Questions 

Responses by Mr. Marc Rotenberg, President, Electronic Privacy Information Center 

Questions submitted by Chairman David Wu 

Ql. Information sharing is critical for success in cyber security, whether it supports 
attribution of attacks of awareness of vulnerabilities. How important is it to 
have common nomenclature, common metrics, and standard sharing methods 
for success in information sharing? How should these different elements be de- 
veloped, which government agencies should be involved, and what roles should 
they play throughout the process? 

Al. There are technical standards that enable data exchanges but it is critically im- 
portant to keep in mind that there are also legal standards that help ensure trust 
and confidence in the collection and use of personal information by the Federal Gov- 
ernment. This problem is already clear in the use of “cookies,” i.e. persistent identi- 
fiers, by government agencies in the management of Federal web sites. 

The Federal Privacy Act sets out a framework for all Federal Government agen- 
cies collecting and using the personal information of American citizens. That frame- 
work embodies a set of principles that any new Federal attribution system is bound 
to adopt. The Privacy Act limits most agencies to maintain records of individuals 
only which are “relevant and necessary” to accomplish specific purposes derived 
from statute or executive order. 

More generally, the framework prioritizes the individual citizen’s right to request 
and view all government records about him or her that do fall under a set of specific 
statutory exemptions, and for that citizen to sue the government for violations of 
the statute. 

Clearly, there is a need to strengthen the application of Privacy Act across the 
Federal Government. The original draft bill considered by Congress contemplated an 
independent Federal privacy agency to oversee enforcement of the Act. We would 
still favor this approach. Short of new legislation, the 0MB should play a more ac- 
tive role ensuring compliance with Privacy Act provisions. 

Q2. Many of you have discussed the need for new internet protocols to be built on 
the concepts of security, authentication, and attribution. What parties would 
help develop and implement these protocols and what would their roles be? Who 
would use these new protocols and would multiple protocols diminish the utility 
of the internet? 

A2. The ideal security model for new Internet protocols should focus on end-to-end 
encryption and dynamic addressing instead of attribution and surveillance. End-to- 
end encryption translates data into a secret code, thereby protecting it from the mo- 
ment it leaves the sender computer until the moment it is received by the intended 
recipient computer (and decoded). This kind of comprehensive encryption is essen- 
tial for protecting personal data that travels over vulnerable channels, such as the 
public Internet. 

Dynamic addressing serves a similar purpose in a different way. The term refers 
to Internet Protocol (IP) addresses, which computers use to direct bits of data across 
the web. There are two ways to assign IP addresses. A dynamic addressing system 
assigns each computer a random selection from a preselected pool of addresses. A 
static addressing system assigns each computer a single, permanent address. The 
latter is based on the same philosophy as attribution systems, and shares its inher- 
ent flaws. 

The most recent version of widely used Internet Protocols is IP version 6 (“IP 
V.6”). IP V. 6 enables, but does not require, network administrators, IT professionals 
who run individual networks for companies and other large organizations, to use 
static addressing. This could create new risks to users. Permanently tracing person- 
ally identifiable online conduct to individual users serves to provide hackers addi- 
tional targets. Alternative protocols can take advantage of IPv6 functionality while 
minimizing the privacy risk. 

There are numerous organizations that can assist in developing and implementing 
protocols that reflect a more resilient, open approach to internet security that rely 
on end-to-end encryption and dynamic addressing. I would recommend the Internet 
Engineering Task Force, the Internet Architecture Board, and the Internet Corpora- 
tion for Assigned Names and Numbers (ICAAN). 

Q3. Please discuss how the level of confidence can have an impact on the utility of 
attack attribution. Please relate the level of confidence to the spectrum of avail- 
able responses including diplomatic, economic, cyber, and kinetic. 



140 


A3. Attribution programs do not prevent highly skilled attackers from remaining 
anonymous. They do create vulnerable repositories of personally identifiable infor- 
mation, but only for those Internet users who are not trained in frustrating attribu- 
tion systems. In fact, these repositories would soon become tempting new targets for 
the hackers who are outside the attribution system. 

Furthermore, the National Academy report that I cited in my testimony said, “It 
is not known how much the smooth operation of society depends on such things, or 
on the assumption that they are possible. There is a risk, however, that they would 
be lost, or at least significantly impaired, if a broadly used nationwide identity sys- 
tem came into existence.” 

Again, current schemes of attribution are inherently limited, which significantly 
diminishes the levels of confidence we can invest in them. Still, one useful mecha- 
nism of attribution is called Domain Name System Security Extensions, or 
DNSSEC. DNSSEC reduces the risk of phishing by focusing attribution efforts on 
authenticating websites. That is a distinctly different approach than tracking indi- 
vidual users, and in 2008, the Electronic Privacy Information Center endorsed this 
approach in administrative comments relating to ICANN’s adoption of DNSSEC for 
websites ending in “.org” (the .ORG Domain). 

“Phishing” is a hacker term for malicious websites that pose as legitimate ones 
to fraudulently acquire sensitive information about Internet users. The primary 
mechanism DNSSEC uses to prevent phishing is a new form of authentication built 
into the Domain Name System. The Domain Name System translates the computer 
language identifiers for Internet addresses into language human users understand. 
DNSSEC adds a level of security to this process by requiring sites to use digital sig- 
natures. Digital signatures are mathematical messages which allow the users’ com- 
puter to discern whether or not the site is the one it claims to be or instead a fraud- 
ulent intruder. 

Beyond bounded approaches like DNSSEC, the Eederal Government probably not 
design diplomatic, economic, cyber, and kinetic approaches to foreign policy around 
the attribution systems currently available. They are not very reliable, and suffers 
from the limitations I’ve described in my testimony and in response to questions. 

Q4. Are there any other thoughts or issues you would like to share with the Com- 
mittee on attack attribution and cybersecurity? 

A4. Cyber security is a transnational problem that requires resilient solutions. The 
primary function of a national attribution system, in the abstract, would aim to 
solve more problems than it creates by extending the range of our country’s foreign 
policy tools and domestic policing techniques. In practice, however, available sys- 
tems can yield ambiguous results at best, which will frustrate security efforts in- 
stead of bolstering them. 

Moreover, there are fundamental privacy rights at stake. Building the capacity to 
track American citizens has always been two-edged. Large scale, preventative sur- 
veillance invites abuse. In this case, it invites the malicious users we are fighting 
to participate in the abuse. Cyber attackers can operate outside of any available at- 
tribution system, and use our system against us. 

Invariably, solving one problem in the cyber security field will create a new prob- 
lem. A smart strategy must anticipate this dynamic. 


Questions submitted by Vice Chair Ben R. Lujan 

Ql. The Fourth-generation of cellular wireless network standards being developed 
uses the internet protocol suite and would extend the internet to cellular devices. 
What are the implications of this 4G standard for this discussion on privacy and 
attribution? 

Al. As mobile phone companies such as Verizon and AT&T Mobility transition to 
the 4G wireless standard, there is the possibility that the “Internet of things” — fa- 
miliar communications devices, such as cell phones, as well as many objects, such 
a refrigerators, identity cards, and clothing — will become uniquely identifiable and 
locatable. 

Some may favor this capability because it will make possible new forms of real- 
time attribution. But for the determined attackers, it will also create new opportuni- 
ties to conceal identity and to turn the techniques of attribution against us. Robust 
security systems should not rely on the perfectibility of attribution. 


o 



